Jump to content


Photo

Has ANYONE ever gotten rid of about:blank?


  • Please log in to reply
92 replies to this topic

#1 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 25 June 2004 - 01:58 AM

I've been all over the net looking and NO ONE seems to have ever gotten rid of the About:Blank hijack. There don't seem to be ANY tools which successfully remove it. I've posted at least three threads here and no one except for idiots in the same boat as me have posted in them.

I've successfully removed it three times... only to have it show up after about 4-5 reboots. Does ANYONE know what to do aside from either :techsupport: this machine or wipe it clean? It's REALLY driving me nuts and whoever created this VIRUS needs to be flogged to death or injected full of flesh-eating bacteria.

Anyone?

Here's my log... for all the good it'll do...

Logfile of HijackThis v1.97.7
Scan saved at 11:50:33 PM, on 6/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\SYSTEM\SAIMON.EXE
C:\PROGRAM FILES\SAITEK\SOFTWARE\PROFILER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\NEW FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {B0DBC223-C613-11D8-8AE8-0050D2DE99DF} - C:\WINDOWS\SYSTEM\BHOJ.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7945.8447337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.subs...ve/makeover.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse....iveX/winrep.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab



#2 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 25 June 2004 - 02:40 AM

I had the same problem in Win 98. Please take a look at my solution here.

It might work for you too. Hope so.

BobO

#3 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 25 June 2004 - 02:12 PM

I'll take a shot at it when I get home. Thanks. Are you sure that CWSearchX is the same thing as about:blank?

#4 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 25 June 2004 - 02:41 PM

No I'm not at all sure that CWSearchx and the about:blank hijack are one and the same in all situations. This thing seems to have a huge number of mutations.

But the symptoms on my machine, which recurred again and again, were

1. browser home page reassigned to about:blank
2. about:blank redirected to c:\windows\temp sp.html
3. mysterious, gibberish-named .dll created in c:\windows\system folder
4. popups galore

If this sounds like you, then my experience might be helpful. I sure hope so. Good luck!

BobO

EDIT: Oh yeah I forgot to mention that Hijack This would always find a number of registry changes and new assignments to BHO's etc. I don't have any of my old Hijack This logs or I could be more specific. But what the hell you get the idea.

And they're all gone, so far a day and a half. I'm hanging in there...

Edited by BobO, 25 June 2004 - 02:44 PM.


#5 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 28 June 2004 - 03:03 AM

If this thing works, I say PIN IT!

#6 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 28 June 2004 - 06:12 AM

Yes it works -- and so I made a step-by-step guide on how to do it:

Here Is A Fix For Windows 98

but I don't know if it works *outside* of Win 98... still, it should provide plenty of clues for people working on a one-size-fits-all fix.

If you're still having problems yourself, give it a try and let me know how it works out.

Thanks!

#7 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 28 June 2004 - 03:36 PM

YEEHAH!!! THIS KICKS BUTT!!! (And about:this!)

It works! (so far)

I'm about to try it on another machine with XP. I'll let you know how it works.

YOU ARE THE MAN, BOB0!

#8 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 28 June 2004 - 03:37 PM

Some admin MUST PIN THIS!!! PIN! PIN! PIN!

The rest of us need to keep bumping it to the top!

#9 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 28 June 2004 - 06:07 PM

Hey thanks man!

:D

#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 28 June 2004 - 06:45 PM

Pinned - but note that it may not work for everyone. However it is certainly worth a try and appears to be perfectly safe.

Make sure your Ad-Aware is updated.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#11 Kaboobi

Kaboobi

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 28 June 2004 - 08:19 PM

I can't find the .dll. Bleh.

#12 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 28 June 2004 - 09:30 PM

BobO is God!

#13 Wizard_Devil

Wizard_Devil

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 10:38 PM

I have Windows XP with the exact problem.

If it works for you, tell me. :hmmm: I hate it...

#14 mw64

mw64

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 28 June 2004 - 10:50 PM

I am using XP and getting hijacked as I try to add these comments. I tried these instructions but did not find a .dll within windows\system or windows\system32. I'm encouraged that fixes are being found, so I'll post my hijack this log soon and hope for the best!

MW

#15 Lennme

Lennme

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 11:06 PM

First off, a big THANK YOU to all who assist here. After much research (and some much needed education!) I was able to remove CWSsearchx (WinXP SP1).
I found a solution at:

Computing.net

that instructs how to remove the hidden value in the registry key that keeps reloading this dang thing. This process along with a good dose of AdAware, AboutBuster, CWShredder & HijackThis have me running malware free!

Being new to all this malware removal I don't know if the above will work for anyone else but I wanted to share my success. Again, thanks to all at Spywareinfo for providing much needed service and info to help beat these baddies!

#16 kaitan

kaitan

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 02:37 AM

Okay, I tried to [basically] follow your steps on my infected WinXP machine.

I did, infact, find a funny .dll that was the size of 30kbs (it was hidden and loaded). I renamed it and scanned it (due to the fact it was loaded it was no deleteable) and adware quickly red flaged it.


I marked it to be deleted upon reboot before it was loaded.


Soon as I got all booted up I ran spybot...which I ran before the boot too...but this time it found 32 problems opposed to the 0 it found last time. hijack this reported none of the files I have been seeing and adware reported no files.

The fact that my spy removal programs seems to be working again looks to be a plus...

but...

I still get redirected when I do a address bar search....so I am skeptic...



I was really wondering if, even after you fixed the problem on your 98 machine, if you still got redirected?
:wtf: :techsupport:

#17 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 29 June 2004 - 03:46 AM

The problem was entirely cured in Win 98 -- no redirects, popups, or anything.

But WinXP is a completely different operating system than 98, sorry to say.

One thing I can suggest is this: reboot into Command Line Safe Mode, navigate to \Windows\System32, and type dir *.dll | more. You will get a page-by-page readout of all the dlls in that folder, along with their date and size. Write down all the dlls that have a size of exactly 57,344 bytes (there are a number of them). If you find one with a weird name, and a date within May or June 2004, it is suspect. Rename it, reboot Windows into Safe Mode, and scan it with Adaware. If it's harmless, rename it back.

Same thing with your \Windows\System directory. See if you can locate the file outside of Windows using good old DOS.

If you've done all this, and the problems keep coming back, I can only suggest you start a new thread and post your latest log there.

Best of luck,
BobO

#18 goingnuts

goingnuts

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 01:35 PM

Lennme posted a solution different from BobO on the page 1 of this thread.
here it is:

This worked for me:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."


THANK YOU very much for your solution posted there. It worked for me. (XP with SP1 installed). So the method you posted might be a successfull repeatable one!!

Mods have a look at this solution!

Edited by goingnuts, 29 June 2004 - 02:43 PM.


#19 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 29 June 2004 - 01:48 PM

Mine is 100% cured so far. No search page and no pop-ups. I attempted to use this same cure on a friends XP machine, but he doesn't have the program hook in his msinfo32 page.

Anyone have any idea for that? I guess I could scan for all files of 57k... but I imagine there could be dozens.

#20 ideaphorian

ideaphorian

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 June 2004 - 02:10 PM

Thanks to BobO's directions, I've found the offending file (finally!). However, I am running Window ME on the infected computer -- when I try to rename the file from DOS via Safe Mode, I get a message "duplicate file name or file in use." There is no Command Prompt Safe Mode option in Windows ME that I know of -- all the listed options involve loading part or all of Windows.

Does anyone know how to boot directly to the MS-DOS command prompt on a Windows ME-loaded machine so that loading Windows can be avoided but can be retrieved the next time? thanks...

ideaphorian

#21 kaitan

kaitan

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 02:21 PM

I'm still free of the about:blank but I can't stop the redirecting of the browser seach.

I searched hi and low for anymore offending files but I've come up short.

#22 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 29 June 2004 - 03:06 PM

Try these directions:
http://forums.net-in...indpost&p=86249

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#23 cookster

cookster

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 June 2004 - 04:17 PM

For the record, BobO's solution has (so far - fingers crossed) worked beautifully on my Windows 98SE machine, after some two dozen other tactics had failed over the course of five days!

I'm giddy with exhilaration! :bounce:

That being said, I'm running SpySweeper now and haven't yet put things to the ultimate test by disabling it for a couple days. Nonetheless, I've found none of the telltale signs that would come back before even while SpySweeper was allegedly guarding things. Although it would keep my homepage and search from changing, the sketchy BHOs and the random .dll files would quickly come back - then about:blank would sneak through sooner or later.

For the past 12 hours everything is registering perfectly clean! :D

#24 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 29 June 2004 - 08:19 PM

ideaphorian:

I also am running ME, but have been unable to find the offending file using BobO's instructions. I can't find a System Hooks file under Software Environments. Where did you find the offending file?

The Fist

#25 kontrol_1

kontrol_1

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 08:23 PM

Got rid of it !!! on a XP pro machine

:rofl:

following the registry key deletion recipe from Lennme.

was confirmed by windoze update i was now able to make and AVG install
that i could now complete (it used to stop at 51% saying it could not write to disk).
ran adaware came out clean then ran AVG (norton protection off) AVG came up with :C:\WINDOWS\SYSTEM32\RES.DLL Trojan horse BackDoor.Agent.BA
C:\WINDOWS\SYSTEM32\AKNMHE~1.SHI repaired
don't know if they came 1st ,with it or after but still Norton never saw them !!!
i'm no longer a Norton fan that's for sure....

maybee a clever coder could make up an autoexec of somekind for those of us who are not to comfy about messing with registry key...

im really pleased with this, a whole bunch of hurrah's for you guy's..

Edited by kontrol_1, 29 June 2004 - 08:33 PM.


#26 ideaphorian

ideaphorian

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 June 2004 - 10:41 PM

ideaphorian:

I also am running ME, but have been unable to find the offending file using BobO's instructions.  I can't find a System Hooks file under Software Environments.  Where did you find the offending file?

The Fist

Fist,

I found the offending file by using BobO's instructions about finding the files in MS-DOS: go to the MS-DOS prompt (from Programs -> Accessories), then at the C:\WINDOWS prompt, type cd system, then type dir *.dll|more -- look for files that have 57,344 bytes (lots of them) but that were entered recently (in my case, just one on 6/11/04). Mine's called kbdfnj.dll, but I suspect that the file name might be random.

I hope this helps!

What's more, I think I've figured out how to get rid of the about:blank problem on Windows ME. I can't try to rename it as BobO suggests using the 'normal' boot options in ME because they do not allow for direct boot into MS-DOS. So I had to create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt, from which I could follow BobO's instructions. I just re-booted the system after deleting the offending file, but the telltale signs of trouble (error message with msgsrv32 on startup; error message with mmtask at shutdown) have disappeared.... free at last, free at last?!?!?!

Edited by ideaphorian, 30 June 2004 - 12:07 AM.


#27 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 June 2004 - 12:04 AM

OSC is going to post the proper fix, but in the meantime you may be able to do it your self via About:Buster

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#28 kooderi

kooderi

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 02:10 AM

Thanks BobO and goingnuts, it seemed to work on Windows 2000!

I've been fighting with this one for days. Yesterday I even deleted too many suspicious-looking registry keys and DLLs so had to reinstall IE.

By the way, I'm pretty the virus is related to the iSearch toolbar company, at leat mine was. My about:blank always started at a screen that looks just like the iSearch website. I found this by opening a DLL or the "local settings\temp\sp.html" in notepad, I forget which one, then googling "iSearch" and finding the page that looked just like my about:blank. Even after I removed iSearch, it's "toolbar.dll", and "sp.html' the virus kept remaking that page until BobO and goingnuts saved the day.

#29 kooderi

kooderi

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 05:04 AM

:( Spoke too soon, the evil is back! It hasn't replaced my homepage to "about:blank" yet but it's back to its old tricks....

- I got that error message box while shutting down the last time I rebooted.

- After rebooting I discovered a new 57,344 byte DLL file in c:\winnt\system32.

- I again have "notepad.exe" and "wmplayer.exe" mysteriously reappearing a few seconds after I delete them. A file monitor tool is showing that WINLOGON process is creating them, somehow related to CRYPT32.DLL and maybe WINTRUST.DLL. Or is this unrelated to this virus?

- I'm again having trouble downloading files from Internet Explorer.

- The "AppInit_DLLs" registry key is *not* back this time. Maybe it's unrelated to my virus.

- I don't have the "Local Settings\Temp\sp.html" file yet. I imagine it'll appear when my homepage is reset to "about:blank".

The one difference between myself and everyone else is AdAware didn't find the virus after I removed that registry key and deleted the DLL files. I'll work on it some more tomorrow.... Grrr.

#30 kooderi

kooderi

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 06:12 AM

Update:

I stopped notepad.exe from reappearing. Something copied it in my c:\winnt\dllcache directory 5 days ago, which I didn't even know existed until I did "dir /as". Very tricky... I think that version of notepad.exe contained a copy of the virus so it could spread back after I deleted all the other copies. It might be different on other people's computers so everyone check that directory for recently-created files.

#31 kooderi

kooderi

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 06:30 AM

ABC news talks about the virus. :(

http://abcnews.go.co...-1.html?ad=true

I'll be in Austin in 10 days so if mine's not fixed by then I'll be knocking on their doors!!

#32 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 30 June 2004 - 08:43 AM

The problem was entirely cured in Win 98 -- no redirects, popups, or anything.

But WinXP is a completely different operating system than 98, sorry to say.

One thing I can suggest is this: reboot into Command Line Safe Mode, navigate to \Windows\System32, and type dir *.dll | more. You will get a page-by-page readout of all the dlls in that folder, along with their date and size. Write down all the dlls that have a size of exactly 57,344 bytes (there are a number of them). If you find one with a weird name, and a date within May or June 2004, it is suspect. Rename it, reboot Windows into Safe Mode, and scan it with Adaware. If it's harmless, rename it back.

Same thing with your \Windows\System directory. See if you can locate the file outside of Windows using good old DOS.

It seems that Win ME/2K/XP users can't reach DOS at the F8 starup menu. But why not use an older Windows startup disk to reach DOS? Once you're at the DOS prompt you can reach and nullify that wretched dll.

What's more, I sat down at an XP machine at work (uninfected) and for the hell of it I shut it down and stuck a Win 98 startup disk in the A: drive and powered up.

Got to the DOS prompt no problem. Got to the C: drive no problem. Deleted some test files no problem.

Of course, as an XP user you'd need a DOS disk. But that should be easy to come by (though I don't think XP lets you make your own startup emergency disk).

Could this be a fix for Win XP? Could some XP users give it a try?

BobO

==> Thank you ideaphorian for the *idea* on this approach!

Edited by BobO, 30 June 2004 - 08:46 AM.


#33 Pox Eclipse

Pox Eclipse

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 11:07 AM

It seems that Win ME/2K/XP users can't reach DOS at the F8 starup menu. But why not use an older Windows startup disk to reach DOS? Once you're at the DOS prompt you can reach and nullify that wretched dll.

Not unless you installed WinXP as an upgrade, and kept the FAT32 partition. A new install of WinXP creates an NTSF partition. and the Win98 startup disk won't see it. No joy there.

#34 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 30 June 2004 - 01:07 PM

It seems that Win ME/2K/XP users can't reach DOS at the F8 starup menu. But why not use an older Windows startup disk to reach DOS? Once you're at the DOS prompt you can reach and nullify that wretched dll.

Not unless you installed WinXP as an upgrade, and kept the FAT32 partition. A new install of WinXP creates an NTSF partition. and the Win98 startup disk won't see it. No joy there.

Good point. I guess the machine at work here is an upgrade.

However, a tech friend here at the office suggests investigating the Windows XP Recovery Console (which acts similarly to DOS) to access and rename/remove the bad dll file. I'm not familiar with it myself, but there is information from Microsoft at:

http://support.micro...kb;EN-US;314058

Ya think?

#35 rosweed

rosweed

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 03:00 PM

I've tried EVERYTHING mentioned on this board. I cannot get rid of this thing. Is there anything I can do? I'm running XP with IE 6. The popups are crashing my computer! I may have re-format my hard drive, which I really don't want to do. Has anyone using XP managed to get rid this thing?

#36 Surferess

Surferess

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 04:20 PM

I have also been dealing with the fun coolwebsearch hijacking. It has been so challenging to stay calm and not want to really get back at the company that created this plague.

Anyway, I did figure out a neat way to get the pop ups to stop. So far it has kept my fron page from being hijacked also. I have tried all the suggested programs listed here and I think my computer is still infected with the incurable virus/spyware.

Here is the work around I came up with ( also posted on my server)
http://www.surferess.com/coolwebsearch

The biggest problem is that the popup ads are not really real HTML pop up windows. They are activeX and have javascripts that run and install applications and registry entries. Other problems are that the window has no address window so the URL is difficult to find. After several days I did figure out a way to find the URLs through the history function. On my computer, the URL these sites are loading from is http://s1di.d8t.biz (DO NOT GO THERE!!! I just wanted you too see the URL)

So I put this URL into the restricted sites list in the internet options list of restricted URLs.

Open Internet explorer and click “TOOLS” “InternetOptions” and then click the “securities tab”. Click the “restricted sites” and click custom level. Now disable every single thing and turn off your java virtual machine and java scripting. Only changing the settings in the restricted sites area helps a lot.

Now you will need the URL of your pop ups: Open up your history in MSIE and right click the spyware ad entry. Then click “Properties” The URL should come up then. Now copy the basic domain (with no directory info) and go back to your internet options security tab under restricted sites option, click “Site” and add the URL to the restricted sites list. then click ok.

So far (only about 30 mins) I have not had a pop up ad come up. Let me know if this works for you. It doesn’t stop all the changes, but it did stop the pop ups.

At least I don't have to watch 4 sets of bugs performing sexual acts on one another every 10 mins now!

#37 trollafrogg

trollafrogg

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 05:29 PM

for winXP



findnfix prog will locate a .dll file, this file is given a random name by the virus. understand that i mean that to follow the instructions that freeatlast has given, you must read the findnfix log yourself to see what the name of the .dll is using in your machine ! then use the path that freeatlast gives to use to rid the offending .dll , it works. it worked for me, and you can see that it worked for the guy in the thread that i am directing you too.

life is good. follow the instructions that freeatlast gives here

http://www.spywarein...ST&f=18&t=10027

Edited by trollafrogg, 30 June 2004 - 05:33 PM.


#38 Surferess

Surferess

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 June 2004 - 09:11 PM

I was unable to get the executable findandfix to run. It kept coming up with a missing dll file and would not install.

I am currently deleting registry entries, as I have been for the last 6-7 days now. We have finally given up and downloaded the mozilla firefox browser. It is the old Netscape pretty much. I kind of missed it anyway. I used to be totally anti Microsoft and wouldn't install anything but Netscape. However, when Netscape was purchased by AOL I lost all respect for them and uninstalled Navigator, leaving MSIE as my default browser.

I believe this adware/spyware is truly the undoing of the internet. It is also a National Security Issue, IMHO. When an application starts installing itself, stealing passwords and reinstalling itself it is beyond just being a "pest". The fact that one simply can not get rid of it, no matter what one does, gives one a sense of great defeat. I consider myself to be net savvy and an expert computer user and this has truly defeated me for almost a week. I spent the sleeping hours trying to figure out a way to fix it and my waking hours scanning with one of 10 different spy programs.

It is OVER! I am so NOT going to use MSIE! Screw Microsoft - I truly can not believe they still have NO PATCH for this??? They are due all the MS bashing they get, as far as I am concerned.

The only thing I can figure out is perhaps Msft is making money on it somehow? Otherwise, where is the freaking patch already??? Sorry to sound so frustrated, but this really does suck! :wtf:

#39 rosweed

rosweed

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 09:12 PM

At least I don't have to watch 4 sets of bugs performing sexual acts on one another every 10 mins now!

I wish I didn't have to watch the fornicating bugs any more. Unfortunately, what you suggested didn't work for me. I'm still getting the popups, and I'm still hijacked by about: blank.

I'm tired. I've been trying to fix this all day. Gotta sleep. I'll try again tomorrow.

Thanks for your help. If and when I ever get this fixed, I'll trumpet it all over these boards!

#40 dooom

dooom

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 10:03 PM

Hi all....

I'm going to throw my input into the mix for the Windows2000 users... Upon reading Kooderi's explanation of the mysterious NOTEPAD.EXE file cretion in the WINNT\dllcache directory, i decided to check my own creation/modifications of theis file.

YUP, my system suspiciously created a NOTEPAD.EXE at the EXACT same time as my resurfacing of about:blank....

spurred on by curiosity I also checked for other file modifications wich occured at that exact moment - I found these:

wmplayer.exe.bak
notepad.exe.bak in WINNT dir
notepad.exe.bak in WINNT\system32
notepad.exe.tmp in WINNT\system32

Ive tried most of everything and curiously should note that on the last reappearane of the hijack my AppInit_DLL did not resurface with the problem - the 30Kb mystery .dlls in WINNT\System32 did however.

I ran the latest CWS shredder today as well as HijackThis. I , like others, cannot get into the DOS mode with Win2000 to follow BobOs' instructions..

<--- NOT a computer guru here at all - just wondering if these finds add to any knowledge base out ther....

regards

#41 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 30 June 2004 - 10:24 PM

dooom --

You may not be able to get to DOS in Win 2000, but you can get to a command-line interface with access to your Windows and system files -- without starting Win2000 itself.

It appears that there is something called the Windows 2000 Recovery Console, which is an application from Microsoft designed to help you repair a bad Windows installation. But it sure looks and acts a *lot* like MS-DOS to me.

If you have your Windows installation disks or installation CD, you can run this application and get to your system files. And if you can identify the bad .dll beforehand, you can access it and remove/rename it, thereby putting it out of business.

Here is the information from Microsoft Support:

Windows 2000 Recovery Console

There's a Recovery Console for Windows XP too, see my post above. I think this approach may be worth investigating, but I've only got Win98 so I can't test it.

Good luck.

BobO

#42 kontrol_1

kontrol_1

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 08:02 AM

I've tried EVERYTHING mentioned on this board. I cannot get rid of this thing. Is there anything I can do? I'm running XP with IE 6. .... Has anyone using XP managed to get rid this thing?

i did .XP pro fully updated rig..look at my earlier post,as mentionned the current AV used did not find all the bugs (?) i ad,try AVG , don't forget to disable xp restore 1st ,empty all temp file after deleting the registry key, run spybot and adaware, download AVG then reboot, and install it if you can't then you still have some bug's partying around. NB:if you have norton utilities don't forget to disable the trash bin protection and delete all protected files (right click on the trashcan 4 option)..2nd nb:4 temp files removal try emptemp at
http://www.danish-sh...k/soft/emptemp/

i believe that you must get rid of all temp files before rebooting ..at least that way it worked for me ...goodluck !!

Kontrol.

#43 Mrfullsrvc

Mrfullsrvc

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 09:30 AM

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

To see information about it, go to:

http://vic.zonelabs....s.jsp?VId=39113
http://www3.ca.com/s...s.aspx?id=39113
http://uk.trendmicro...me=TROJ_AGENT.A

For information on the Reg Start page, go to:

http://www3.ca.com/s...s.aspx?ID=28683

Trend micros removal too for this particular mofo is at:

https://beta.activeu...gentv1.0007.zip

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:


@echo off
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
delay 10
rem In case system clean didn't run, delete the file manually
del /q /f %1

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

I hope this will help everyone who went thru the nightmare I've gone thru too!!

If you need the command file or more info, my email address is Mrfullsrvc at aol.com. (Don't for to use the '@' symbol in the email.

#44 ideaphorian

ideaphorian

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 11:22 AM

ideaphorian:

I also am running ME, but have been unable to find the offending file using BobO's instructions.  I can't find a System Hooks file under Software Environments.  Where did you find the offending file?

The Fist

Fist,

I found the offending file by using BobO's instructions about finding the files in MS-DOS: go to the MS-DOS prompt (from Programs -> Accessories), then at the C:\WINDOWS prompt, type cd system, then type dir *.dll|more -- look for files that have 57,344 bytes (lots of them) but that were entered recently (in my case, just one on 6/11/04). Mine's called kbdfnj.dll, but I suspect that the file name might be random.

I hope this helps!

What's more, I think I've figured out how to get rid of the about:blank problem on Windows ME. I can't try to rename it as BobO suggests using the 'normal' boot options in ME because they do not allow for direct boot into MS-DOS. So I had to create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt, from which I could follow BobO's instructions. I just re-booted the system after deleting the offending file, but the telltale signs of trouble (error message with msgsrv32 on startup; error message with mmtask at shutdown) have disappeared.... free at last, free at last?!?!?!

FYI, two days or so later, my Windows ME computer remains free of this virus -- thanks again BobO and everyone for your postings which helped!

#45 arocky_23

arocky_23

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 12:51 PM

Hi, I need serious help with this hijacked home page situation. I have tried numerous things as far as scanning with spybot, ad aware, (with all info). Please keep in mind I have read the faq's on what to do before doing anything. I even tried hijackthis through an online support system and it just didnt delete it. I am stumped other then reformating my hard drive. Can someone show me how to get hijackthis without getting a page that has been moved or some other thing happening to it? If i can get hijackthis ill post what i got in here without chaning anything. I can see that a lot of people have the same problem so i know there has to be a fixed. any responses will be appreciated.


rocky.

#46 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 01 July 2004 - 01:29 PM

As I understand it, CWShredder (updated) now fixes this particular variant,with
( Temp\sp.html ) in the R0s and R1s.
Latest info received, this variant will not be fixed by CWShredder. Sorry for the muckup.

Edited by Mad Max, 01 July 2004 - 03:36 PM.

Mad Max

#47 arocky_23

arocky_23

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 01:34 PM

well the thing is i did the cwshredder updated. this thing CANNOT be updated without going in and deleting something. i have tried and tried and tried. im stumped. i even tried getting a log file for hijackthis but dont know how. can someone help me there?

#48 Mrfullsrvc

Mrfullsrvc

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 01:45 PM

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

Aside from running the HJT, CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

To see information about it, go to:

http://vic.zonelabs....s.jsp?VId=39113
http://www3.ca.com/s...s.aspx?id=39113
http://uk.trendmicro...me=TROJ_AGENT.A

For information on the Reg Start page, go to:

http://www3.ca.com/s...s.aspx?ID=28683

Trend micros removal too for this particular mofo is at:

https://beta.activeu...gentv1.0007.zip

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:


@echo off
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
delay 10
rem In case system clean didn't run, delete the file manually
del /q /f %1

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

I hope this will help everyone who went thru the nightmare I've gone thru too!!

#49 zophiel

zophiel

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 03:42 PM

BobO,

I have been able to follow most of your instructions on my Win 98SE machine. I have found the *.dll file of the exact size and renamed it. This file also has a recent date which adds to my suspicion it is a baddie.

However, here's the problem: when I try to run Ad-aware in dos safe mode, I get a message that Ad-aware has to run under WIN 32. Does this mean I should move Ad-aware to the WIN subfolder before running it? I have Ad-aware.exe installed under Program Files\Lavasoft\Ad-aware 6/0\

I have run Ad-aware under windows and it does not recognize the newly named file. Perhaps I should delete this renamed file to the recycle bin (from which it can be restored) or save it on a floppy, then delete it from my hard drive.

Your comments, please?

#50 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 01 July 2004 - 04:29 PM

zophiel --

Sounds like you've done everything right -- up to the point where you run Adaware on the suspect file.

The idea is that you get at and rename the bad dll in Command Line (i.e. DOS) safe mode, and once you've done that, you restart your computer in *Windows* safe mode. That way you can run Adaware on it, and yes Adaware can only be run in Windows. Note that if you really did find and rename the hidden CWS bootup file, Windows will look for it while booting -- even in Safe Mode -- and complain that it can't find it. No problem, ignore its complaints and keep going.

I guess its a good idea to recycle the file instead of trashing it too, just in case you need it. But if it's 57,344 bytes, and it has a recent date and a nonsense name, it sounds like the culprit to me.

While you're in Windows Safe Mode, you can run Shredder and Spybot as well, to clean up the leftovers.

Good luck!

PS - Here's an idea for Windows XP users who want to get to the command line -- why not put a blank floppy in Drive A (Daddy, what's a floppy? :)), right-click on the icon, and select Format. When the dialog comes up, choose Make This A Bootable Disk (or whatever it says like that). My XP user friends say that you can boot an XP machine with such a disk and reach a command line, from which you can navigate over to the suspect file etc etc etc.

Check it out...

BobO

Edited by BobO, 01 July 2004 - 04:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button