• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
sights0d

Has ANYONE ever gotten rid of about:blank?

93 posts in this topic

:unsure:

 

This all looks like jibberish too me...

 

What about some step-by-step instructions for XP users on how to get rid of about:blank in more simpler terms?

 

Please :weep:

Share this post


Link to post
Share on other sites

hey gang, well so far today i have tried several other things myself. i redid hijack this to no avail. and i also did a fix tool to a different trojan from trend micro. tm has found four trojans on my computer that i did delete but it seemed that did very little. im willing to try new things but my confidence on getting this fixed is running thin. i did look at sufferess' page but i was too intimidated to even try and mess with what they had on it. i did have those pop ups that you had on that page though. any other suggestions would be greatly appreciated. all i can do is trial and error before i may have to reformat.

 

rocky.

Share this post


Link to post
Share on other sites

BobO.... i love you mannnnnn. (in a purely friendly way) I followed your instructions, plus some of the hints from others on this board, and it appears that my computer is freeeeeeeee of this stupid mofo spybot/virus.

 

but just to clarify some of the things that confused me before i did this, and to also make the instructions even easier for the non-computer savvy....

 

(this is for Windows ME btw)

 

you need to make a recovery disk first of all... this is what lets you get into true DOS... to make one, go to the control panal, then get into "add/remove programs"... then click on the tab marked "startup disk". follow the instructions.

 

and when you get to the part in bobOs instructions about getting into DOS to rename the dll file, just shut down your computer, put in the startup disk you made, and restart... this will give you a set of options... choose number 3, and it will put you into DOS mode.

 

once you rename the dll file, pop out the floppy, and restart, but start hitting F8 repeatedly as soon as it starts to restart... this will allow you to get into safe mode for the next steps in bobOs instructions.

Share this post


Link to post
Share on other sites

Hey guys, well after about four days of defeat my lil bro came on and did somethings with it. what he did was windows critical updates. (not sure if any did have the hijack patches) and updated ad aware. as far as i know this fixed it. so looks like ad aware is making the changes. good luck guys.

Share this post


Link to post
Share on other sites

BobO, you rule,

 

I was tearing my hair out for about 3 days, your fix has saved what I have left, thanks a ton (at least).

Share this post


Link to post
Share on other sites

It seems Kooderi and me are the only ones struggling with this [expletive] hijacker on a win2000 system.

 

I had a seriously intensive session last night, trying out all the fixes recommended here by BobO, Goingnuts, Mrfullsrvc etc. Each time I thought I had the thing sussed, and Ad-aware, Hijackthis, CWshredder etc. would give me a clean sweep, the thing seemed to creep back when I wasn't watching. The last straw was when I had been working offline running only Word for a couple of hours and then ran up IE to do some research....bingo there was about:blank! Ran Ad-aware and up came all those suspicious registry entries again so I knew the so and so was hiding somewhere.

 

In sheer anger and frustration I burnt the midnight oil searching ALL my WINNT folders for suspicious looking files and disabling them (changing the file extensions as suggested by BobO).

 

A couple of things of note came up in this process: some odd looking files in my downloaded files folder - they had no creation date and the system couldn't identify any properties; and some VERY large .tmp files in my temp folder masquerading as excel files called Old1.tmp and Old2.tmp. However when I opened one of them (a stupid thing to do I know) it appeared to be some kind of macro.

 

Anyway these have now been deleted from the hard-drives and once again all the virus scanners, including the one at CA, have given me a clean bill of health.

 

I am sceptical that I have cured the problem but I continue to keep an eye on this thread.

Share this post


Link to post
Share on other sites

I had about:blank and after instructions from Phantom seemed to have got rid of it. At least it didn't change my homepage anymore or cause popups. However I have noticed that whenever IE can't find a page, I'm redirected to a site (a Chinese portal) instead of getting "page not found" . My computer also seems to be very slow and what's called physical memory is always between 96% and 100% according to my performance manager- unfortunately I don't even know enough to know if this is normal.

 

I tried Bobo's solution (and the version by bch7773 - I have windows Me) but have got stuck.

When I get to Windows System in DOS and type dir*.dll|more I get a bad command message. I tried dir*.dll and DOS displayed all the .dll files (there were about 800) but so quickly I couldn't see them let alone re-name them. As you can see I don't know much about navigating in DOS! When I tried dir*.dll again I just got "bad command" again. This was from MS-DOS prompt AND from start up-disk, same result

 

bch7773, your simple explanations are a great help but could you, expand them re operating in DOS for the really simpleminded - like me? Any idea why I can't get to see the .dll files?

 

Thanks for any help!

Share this post


Link to post
Share on other sites

fugesi:

 

The correct syntax for the MSDos Command is "dir *.dll |more" (omit the quotes) with the | being the [shift]\ key located abouve enter. Also note the space between dir and * and between dll and |. You should be able to hit the spacebar to scroll through the list. I posted a step-by-step of the fix I used based on BobO's and ideaphroian's suggestions for ME URL=http://www.spywareinfoforum.com/index.php?showtopic=11843&view=findpost&p=44660]Here[/url].

 

Good Luck

Share this post


Link to post
Share on other sites

fugesi

 

well if you want to save that directory entries to a txt file and peruse it when ever you want

 

you can type like this

 

dir *.dll >c:\*********\****\***\***.txt

 

or instead of more

you can do this

dir/p *.dll

windows will show it page by page

Share this post


Link to post
Share on other sites
Lennme posted a solution different from BobO on the page 1 of this thread.

here it is:

 

This worked for me:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

 

I tried the goingnuts solution on windows 2000 I deleted the AppInnit_dlls registry key and it didnt re-appear, but when I re-booted, it was the same problem: my home page in the browser has been hijacked to 'your-searcher'. Any suggestions welcomed!

Share this post


Link to post
Share on other sites
I had about:blank with the SP.html file.

 

This program got rid of it, so far (2 weeks), for good.

 

http://www.rokop-security.de/main/article.php?sid=746

 

file is sphjfix.exe

You can put the file name in Google it will find it.

 

Gradders

did anyone try this out? I have XP with IE6.0

This looks interesting -- I went to the link above and found the page in German. That not being a language I am familiar with, I copied and pasted it into the Google translator. The results are below (yipes! pardon, German friends).

 

The sense of it is that they recognize that a hidden CWS dll file gets embedded into the system, and claim that their tool removes it. They also recommend running Adaware etc after the fix.

 

Those who have XP/2000 might want to give it a spin?

 

BobO

 

[translation]

 

For some weeks a Browser Hijacker, which is to be removed only very with difficulty, employs us (and not only us) and by it again and again the starting side of the InterNet replaces Explorers with a search side. All past programs could remove this Hijacker apparently, it came back however however after some hours. On the search for a solution of the problem however some things were unclear: Where and how does one infect oneself? Which safety gap uses this Hijacker?

 

Facts were only DLL, which was once on the computer active, completely invisible, as well as the reports of infected Usern from various forums. This Hijacker is a CoolWWWSearch variant the sp.html Hijacker or also Trojan.Win32.Startpage.gv and/or L.G. is called.

 

In the available case spaetens at 22:40 o'clock by day the infection (which we to have placed behind) the starting side of the IE with the search side was exchanged searchx.cc. If one removed the starting entries manually or with the help of the CWShredders, first everything seemed clear, few hours later was however again everything with the old person. One recognizes the Hijacker to the easiest with the Tool HiJackThis by the following red marked entries: In all well-known cases the lines end to us with... \sp.html (obfuscated) and a pertinent BHO entry.

 

The finished Entfernungstool is to be owed to some untiring people, which became active for lack of professional assistance. Came out a Cleaner, which resets both the causal file, and the obvious file and sets the starting side on about:blank.

 

The Cleaner is so far only functional under Windows2000/XP and must be implemented with administrator rights. After that unpack the Zipdatei the SpHjfix.exe is started and the Button "disinfection to start" pressed. Afterwards the system starts again and the Cleaner again automatically called around the cleaning to lock. Subsequently, the computer is released from the Hijacker. We recommend to use however nevertheless again the CWShredder, still another abandoned Registryeintrag far away.

 

I would like to express again special thanks here to the following persons, who were involved with the solution of the problem: - Seeker (programmer) - Raman - DerBilk - Paff and here geht`s now to the Download of the Cleaners. Rokop, 14.05.2004

Share this post


Link to post
Share on other sites

Well I'm somewhat relieved to find that I'm not the only one with this problem. Been dealing with it for about a week, and mine is definitely tied to CoolWebSearch. Originally used a combo of Ad-Aware and Hijack-This to remove the sp.html and the random titled .dll file, but alas the about:blank homepage would resurface anywhere from an hour to a day later. Then tried using the CWS Shredder and it would also temporarily work but it's still coming back. I knew there had to be a hidden file of some sort that is resetting this thing!!!

 

I'm going to try goingnuts instructions to fix this and see how that does....if it comes back again I'll try that new German program. BTW I'm using WinXP Pro and have done all the critical updates as of yesterday.

 

Good luck to everyone dealing with this and hopefully someone can come up with a sure-fire solution sooner than later.

Share this post


Link to post
Share on other sites

Alright, I've removed the AppInit_DLLs key .... everything is fine ATM. Will update later today or tomorrow as to whether it was successful or not.

Share this post


Link to post
Share on other sites

Here is the fix for Win2k/XP users...you must download "FindNFix" from http://freeatlast100.100free.com/index.html then proceed to step 2

 

Step 2:

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Please wait while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

When the program is finished:

 

Open the FindnFix folder.

1. Look in the file Log.txt and search at the upper portion of the log where it reads "Locked or Suspect File(s) found"

2. Remember the name of that file

 

Step 3:

Open the FindnFix folder.

Open the keys1 folder.

 

If you receive an error while trying to edit, see below for instructions.

RightClick on the MOVEit.bat file, select--> edit.

Copy and paste this line into the batch file, replacing the line there.

 

move %WinDir%\System32\*.dll %SystemDrive%\junkxxx\*.dll

(*= name of the dll you were supposed to remember)

 

{ignore this paragraph...I need it here to avoid the formatting problem this Board software causes when writing these directions}

That line above is: move(space)%WinDir%\System32\*.dll(space)%SystemDrive%\junkxxx\*.dll

 

Save the file and close.

Get ready to restart!

Still in the keys1 folder, double click on FIX.bat.

You will get an alert of ~20 secs before reboot.

Allow it to reboot!

 

On restart, Open the FindnFix folder.

DoubleClick on RESTORE.bat.

When it is finished, open the FindnFix folder.

Post the contents of Log1.txt in this thread.

 

=== In the Event and Error Occurs Trying to Edit ===

Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

 

If that happens, follow these steps instead:

Open Notepad or Wordpad and open the MOVEit.bat from there (Click on *file* at the top and then *open* and navigate to the MOVEit.bat file) Once open you can then edit the line as instructed above.

Share this post


Link to post
Share on other sites

yeah, was it just meant to locate the dll? or was it supposed to break it in half and kill it? because that's the part I'm having trouble with lol ^_^

 

by the way, Microsoft just posted a windows update for the ADODB.stream security hole. the one that everyone (well me, at least) got this damnable spyware from. everyone might want to check out windows update for that. :techsupport:

Edited by wizzahd

Share this post


Link to post
Share on other sites

The first part locates the dll, the second part gets it the hell out of where it is, and drops it in the junk folder.

Share this post


Link to post
Share on other sites

Sniffed -> D:\WINDOWS\SYSTEM32\ALIBY.DLL

Sniffed -> D:\WINDOWS\SYSTEM32\FYRLX.DLL

Sniffed -> D:\WINDOWS\SYSTEM32\JDCKC.DLL

Sniffed -> D:\WINDOWS\SYSTEM32\TUEGU.DLL

 

Are your BAD files you need one line for each file name ...something along the lines of :

 

move %WinDir%\System32\TUEGU.dll %SystemDrive%\junkxxx\TUEGU.dll

 

...and so on, for each dll

Share this post


Link to post
Share on other sites

holy crap I just fixed it, I beleive. I'm running windows 2000, so hopefully this will be helpful to everyone else on w2k.

 

here's a step by step-

1. UPDATE IE NOW. the ADODB security hole fix is up, go get it as soon as possible to prevent further infection!

2. figure out the name of your infected DLL (and whatever other files there are). you can do this using a number of utilites, I used FileMon, but HijackThis and FINDnFIX can locate it just as well.

3. download/update AdAware as per this link.

4. reboot into safe mode.

5. locate and isolate the infected file(s)

6. empty (don't delete the folder, just the contents) out your temp folders (C:\WINNT\Temp\ and C:\Documents and Settings\(user)\Local Settings\Temporary Internet Files\), just in case. empty your recycle bin afterwards.

7. run AdAware with the settings that the above page recommends. let it scan through and delete any quarantined items.

8. set your home page back to something else, also open your search bar.

9. open and close IE a few times (not sure if that step has any significance, but this is exactly what I did)

10. reboot normally

11. open IE and repeatedly press ESC as it loads whatever page it loads.

12. double check your home page setting.

13. open your search bar and click the Cusomize button, setting it to whatever you like best. close IE.

14. open and close IE a few times just to double check that it's still gone.

 

hopefully you're clean. I've been fine since I finished that.

 

I started thinking about it, how did the adware reinstall itself over and over again? I noticed that AdAware replaced the search page in IE-- could that have possibly been the problem? maybe since the DLL replaces the default search page, the new adware 'search' reinstalls itself using the ADODB security hole? any thoughts?

 

good luck to everyone with this damnable software!

 

edit:

by the way, in case anyone is interested, I've saved the little humping bug ad (or the humping bugs, at least) for humor's sake. check them out.

Edited by wizzahd

Share this post


Link to post
Share on other sites

Post all errors/successes Here

 

But please do not pollute it with hundreds of logs.. Hijack This logs... About:Buster logs.

Edited by RubbeR DuckY

Share this post


Link to post
Share on other sites

Most fixes, such as Ad-Aware alone, may inactivate the infection and fix the problem in that sense. However many files are left on the PC which could be reactivated at a later time. About:Buster will clear them out.

Share this post


Link to post
Share on other sites

Thanks a million guys. Ran about:buster and it would not detect the hidden .dll but Reglite allowed it to be found and system recovery console allowed me to rename and deactivate it. I think it is good to run about:buster though as it found about 200 files generated by the jacker that I missed. Bless you all.

Share this post


Link to post
Share on other sites

YES - about:blank was not removed by Spybot SD or Lavasoft Adaware,

I finally tried CWShredder and also removed MSft Java VM in lieu of Sun's Java code which seems to have fixed the problem.

 

CWShredder.exe is downloadable via google. Some sites seem to be broken but keep looking for the exact exe. Most components don't show but a few items between about:blank are common and are removed.

 

The MSjava vm is clean if you follow the following article:

 

http://www.winnetmag.com/Article/ArticleID/38206/38206.html

 

Good luck. Until I found this I had about:blank for 3 weeks.

Share this post


Link to post
Share on other sites

I am having no luck and have yet to have anyone respond to my posts. Can anybody please help me with this about:blank?????

Share this post


Link to post
Share on other sites

GAAAAAAAAAAAAH :grrr::grrr::grrr:

 

:techsupport:

 

 

NONE OF YOU MAKE SENSE

 

YOUR POSTS GIVE ME A HEADACHE

 

RAAAAAAAAAAAAAAAH!

 

:ugh:

 

I think this thing is taking up my memory and my AIM doesn't work no matter how many times i redownload it and i get these lame advertisements of bugs screwing eachother

 

WHY HASN'T ANYBODY GOTTEN RID OF ABOUT:BLANK ON XP????

 

WHY IS THIS SO COMPLICAAAAATTTTTEDDDDDD!

 

*cries*

Share this post


Link to post
Share on other sites

Helpless April,

 

I understand your frustration, and I'm sorry that you're having such a rotten time. But the people who are contaminating your computer are heartless -- they DON'T CARE how bad you feel -- they want to control your computer and they don't want to give it back to you. And they want that control so badly that they have devised a poison that is very difficult to remove.

 

A lot of very talented and very dedicated people at this forum are working hour after hour to help fight back. But the enemy is wily and crafty; what works for one user often does not for another. There seems to be no magic bullet -- yet.

 

So hang in there and try to follow our suggestions. Try Rubber Ducky's new program About:Buster. If you don't understand something, ask questions about the part you don't get. And don't forget that there are a lot of people who are just as angry as you are, and they won't *ever* stop fighting this menace.

 

Cheers,

BobO

Share this post


Link to post
Share on other sites

Ideaphorian:

 

I was looking at BobO's instructions about the dll files so i looked in my system32 folder through command prompt. I did not find and files that were 57,344 bytes but I did find the following files:

 

kbdfgd.dll 7/13/04 11:24p 0 bytes (similar to the one u had)

hlpcfk.dll 7/13/04 11:24p 0 bytes

chpdica.dll 7/13/04 11:23p 0 bytes

wdm.dll 7/13/04 08:06a 0 bytes

nmgiic.dll 7/13/04 11:24p 0 bytes

 

 

I have sp.html showing up in my temp folder, about:blank keeps taking over my browser. I have ran spybot, adaware and hijack this in safe mode and it still is coming back. I am going to try and delete these files and also try what goingnuts mentioned lennme posted about the registry. Ill keep u updated.. :techsupport:

Share this post


Link to post
Share on other sites
ideaphorian:

 

I also am running ME, but have been unable to find the offending file using BobO's instructions.  I can't find a System Hooks file under Software Environments.  Where did you find the offending file?

 

The Fist

Fist,

 

I found the offending file by using BobO's instructions about finding the files in MS-DOS: go to the MS-DOS prompt (from Programs -> Accessories), then at the C:\WINDOWS prompt, type cd system, then type dir *.dll|more -- look for files that have 57,344 bytes (lots of them) but that were entered recently (in my case, just one on 6/11/04). Mine's called kbdfnj.dll, but I suspect that the file name might be random.

 

I hope this helps!

 

What's more, I think I've figured out how to get rid of the about:blank problem on Windows ME. I can't try to rename it as BobO suggests using the 'normal' boot options in ME because they do not allow for direct boot into MS-DOS. So I had to create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt, from which I could follow BobO's instructions. I just re-booted the system after deleting the offending file, but the telltale signs of trouble (error message with msgsrv32 on startup; error message with mmtask at shutdown) have disappeared.... free at last, free at last?!?!?!

Can you provide any more detail on how you got a true DOS prompt using windows ME?

or how you created a boot disk? (i believe I already have an ME boot disk if this option would work. Im dealing with the same thing on a Windows ME system. Ive found the file in question but cant rename using the DOS utility. I also havent tried to delete the file (BobOs instructions say not to)--Any other suggestions/advice?

-KF

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0