Jump to content


Photo

How to Kill SearchX aka About:Blank for Windows ME


  • Please log in to reply
19 replies to this topic

#1 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 30 June 2004 - 08:21 AM

I have been struggling to get rid of SearchX / About:Blank for almost two weeks. Here is a solution that seems to work. I did not figure out the solution. Thanks to BobO and ideaphorian who did. :thumbsup: I just wrote down the solution they proposed with some additional steps that I pulled from other websites and forums. I hope that those more knowledgable than I am will review this and decide to pin it so that others can employ this fix.

This is for Windows ME only. The fix may work similarly for other Windows OS.

Here are the steps (some may be overkill, but I think overkill is a good thing):

:bangbang:

1. Most users have lost notepad. You can get back notepad by renaming c:windows\notepad.exe.bak to c:\windows\notepad.exe. Note the date and time on notepad.exe.bak because that will be the same time as the offending .dll file. I also lost Microsoft Windows Media Player. You can get that back by renaming wmplayer.exe.bak to wmplayer.exe.

2. Go to the MS-DOS prompt from Start -> Programs -> Accessories-> MS-DOS Prompt. At the C:\WINDOWS prompt, type "cd system" (omit quotes), then type "dir *.dll |more" (omit quotes). Look for files that have 57,344 bytes (there are lots of them) but that were entered recently (in my case and in ideaphorian's case there was just one entered on 6/11/04 and 6/18/04 respectively). Mine was called com.dll and ideaphorian's was called kbdfnj.dll. We I suspect that the file name might be random. Note that the date and time will be the same as the date and time for notepad.exe.bak. Write the file name down and exit the MS-DOS Prompt. To verify the file is the one, open My Computer -> C:\ -> Windows -> System and look for the file. If you can't find it, it is very likely that it is the culprit.

3. Take your computer off line by unpluging your modem, dsl or cable connection. Note -- make sure you have the most recent versions of CWShredder, Ad-Aware, Spybot S&D and HiJack This (see below for links)downloaded before going off line.

4.Run the latest version of CWShredder.Find Here. If you have already loaded the latest version of CWSShredder, make sure it is updated.

5. Run the latest version of Ad-Aware. Find Here. If you have a already loaded Ad-Aware, make sure it is updated. Click on SCAN NOW. Make sure ACTIVATE IN DEPTH SCAN is checked. Select the radiobar for USE CUSTOM SCANNING OPTIONS. Click on CUSTOMIZE. Make sure that SCAN WITHIN ARCHIVES is checked and that the two "skip" boxes are not checked. Make sure that all the boxes under MEMORY AND REGISTRY are checked. Click on the link to SELECT DRIVES AND FOLDERS. Make sure that all the drives under c:\ are checked. Run Ad-Aware and delete anything it finds. I would also delete any quarantined files.

6. Run Spybot S&D. Find Here. Fix anything it finds. Set the MODE to ADVANCED. Select TOOLS and then BROWSER PAGES. Reset any browser pages that are set to "about:blank" or "sp.html" to yahoo.com or google.com

7. Delete the sp.html file from your Windows/Temp directory if it is there.

8. Run HijackThis and delete any entries (if they are still there) that reference C:\WINDOWS\TEMP\sp.html or HomeOldSP = about:blank

9. Create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt. Find the .dll file that you previously identified and rename it from abcd.dll to abcd.bob (the abcd part represents the file name which may be random, the .bob is in honor of BobO who figured this beast out). The DOS command is "ren abcd.dll abcd.bob" (omit quotes),

10. Re-boot your system (I just used the "reset" button on the front of the computer) after deleting the offending file. The computer will complane that it can't find the .dll file you renamed but click OK and keep going.

11. Run Ad-Aware again. It will identify the renamed file (abcd.bob in our example) as CWS. Ad-Aware also found two other files which I don't know if they are related:

C:\WINDOWS\Cookies\[The Fist]@tribalfusion[1].txt
C:\WINDOWS\Cookies\[The Fist]@counter2.hitslink[2].txt

12. Delete and remove the quarantine files for anything that Ad-Aware finds.

13. Run CWShredder and Spybot for good measure.

14. Go into START -> SETTINGS -> CONTROL PANEL -> INTERNET OPTIONS -> GENERAL and delete all cookies and all files (this step is optional).

15. From CONTROL PANEL select SYSTEM click on the PERFORMANCE tab, click on the FILE SYSTEM button and then the TROUBLESHOOTING TAB. Check DISABLE SYSTEM RESTORE and then click on APPLY. Then uncheck DISABLE SYSTEM RESTORE and then click on APPLY. Click on OK and then OK again. You will be asked if you want to reboot your system now. Click on OK. Don't be concerned if the DISABLE SYSTEM RESTORE box is checked. I think that the hijacker does that to prevent you from restoring your system to a point prior to the hijacking. If the box is already checked, just uncheck the box and reboot.

Hopefully you are free of the beast!!!

Good Luck. Please post a response if it works for you so it this will keep being bumped and eventually pinned.

Edited by The Fist, 01 July 2004 - 12:04 PM.


#2 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 30 June 2004 - 08:45 PM

So far so good. I've been CWS About Blank / SearchX free for over 12 hours. Also, I've been able to install Norton Systemworks which I wasn't able to do for the last 10 days when my computer was infected. Thanks again to BobO and ideaophorian.

The Fist

#3 coooka

coooka

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 June 2004 - 10:25 PM

Friend,
My About:Blank beast is called lognb.dll.

I've done everything under the sun.. ok maybe not everything..
to get rid of the beast but so far No Go.

I saw your fix and before I unplug my modem and try it..
Can you tell me how long you've been infection free?

You do know I imagine that this son of a B reappears after a few hours
or a day or so.. even though you think it's gone... It's incidious!!!

Have you run a program called AdwareAway?
This will show you're still infected even though it won't necessarily get rid of it.

I've noticed that CWShredder, Spybot, Adware and others won't find it
whereas AdwareAway will.

Let me know and Thanks, -C
You can email me direct at marbrook@comcast.net

#4 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 06:42 AM

I've been free from About:Blank / SearchX for almost 24 hours. Also, almost all other system problems (mysterious errors when opening up the MS-DOS window, etc.) have disappeared. All scans are comming back clean. Prior to the fix, About:Blank was comming back at least two or three times a day(sometimes more). I haven't tried AdawareAway. However, at one point Norton AV was detecting a sypware virus in my C:_restore directory. The 15th step will get rid of any viruses that are lurking in your system based on ME's System Restore function. Let me know how it goes.

The Fist

#5 coooka

coooka

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 July 2004 - 07:00 AM

Fist,
Re: Step 15.

When I go to Control Panel, then System... it doesn't give me a Performance tab option.
Am I in the wrong place?

Tabs offered in System are: General,Network Identification,Hardware,User Profiles,Advanced.

I'm running Windows 2000.
Maybe you can direct me to the right place to attempt step 15.
Thanks, -C

#6 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 07:27 AM

cooka:

The system restore function is only for ME and XP. I don't think that 2000 has a system restore. You can skip that step and just reboot.

The Fist

#7 ideaphorian

ideaphorian

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 11:27 AM

Glad to see that it's working for you, Fist! My Windows ME computer has been virus-free for almost 48 hours now (just ran Ad-aware to confirm this), and I'm confident that it will remain so -- the symptoms (error messages at start-up and shutdown) have disappeared, and BobO's instructions on finding the offending file buried deep in DOS appear to have been accurate.

#8 coooka

coooka

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 July 2004 - 01:24 PM

Thanks Fist,
I'll give it a whirl!

Did you check your system with AdwareAway by chance?

If you choose to do so.. just run a Global Scan. It isn't a long process
and it will immediately tell you if you're clean or not.

Now you've got me curious!
If your fix works.. it will cause a lot of heartache to go away for
a lot of computer users.

Thanks Again, -C

#9 sithie

sithie

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 01 July 2004 - 01:46 PM

Blah, Fist:

I'm on XP and I did as you said, except my notepad.exe and wmplayer.exe aren't called *.exe.bak. However, even though they are not renamed, they don't work still.

I also did your search for 57,344kb size files in cmd in the windows\system and windows\system32 folders, and it only came up with a single file that was 57,344. This file, as you said, is supposed to be "hidden" in that folder, however, it is not hidden so I don't believe it is the culprit.

Still waiting for the XP CWS fix,

Sithie

#10 Mrfullsrvc

Mrfullsrvc

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 01:55 PM

I've been free of this beast for 24 hours now. Here's how I did it:I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

Aside from running the HJT, CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

To see information about it, go to:

http://vic.zonelabs....s.jsp?VId=39113
http://www3.ca.com/s...s.aspx?id=39113
http://uk.trendmicro...me=TROJ_AGENT.A

For information on the Reg Start page, go to:

http://www3.ca.com/s...s.aspx?ID=28683

Trend micros removal too for this particular mofo is at:

https://beta.activeu...gentv1.0007.zip

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:


@echo off
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
delay 10
rem In case system clean didn't run, delete the file manually
del /q /f %1

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

I hope this will help everyone who went thru the nightmare I've gone thru too!!

#11 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 03:18 PM

sithie:

Sorry I can't help you on the XP fix. This fix only works for ME and possibly for '98.

#12 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 02 July 2004 - 08:41 AM

It's been two days and no sign of it returning.

The Fist

#13 JhonnyBench

JhonnyBench

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 09:01 AM

Any XP fixes for this horror?

#14 coooka

coooka

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 July 2004 - 11:10 AM

Fist, Super glad to hear it!
I am in the same boat.
About:Blank has seemingly left and isn't returning..
Only problem is the malicious file on my computer "lognb.dll" cannot
be removed!!!
I've tried numerous delete mechanisms like Killbox for instance..
but this thing is a B!
Any thoughts?
I'd be very appreciative.
Thanks, -C

#15 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 02 July 2004 - 02:13 PM

cooka:

My only suggestion is booting up with a startup disk in DOS and renaming the file... In my case, it couldn't be deleted when windows was running.

#16 fugesi

fugesi

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 05 July 2004 - 11:29 PM

Hi Fist,

I had about:blank and the generic search page plus spyware removal popups and followed some advice from Phantom which semed to get rid of most of the symptoms.

I don't have about:blank appearing anymore but when IE can't find a page it redirects me to a Chinese portal and it is sometimes very difficult to get to www.spywareinfo.com. Also my memory usage is always at 96%-100% and connections seem very slow - is that normal?

I tried to run your fix for ME but I couldn't check against the date of notepad.exe as I never lost notepad. I did lose Mediaplayer around the 10th and then reinstalled it but I didn't realise it had anything to do with spyware at the time -Duuhh!.

When I searched for *.dll files I found several with 57,344 bytes but none entered recently. I then looked for .dll files entered in June (I guess I was infected around the 10th or 11th) and found the following - but they have a value of 0 bytes!

kbdijle.dll 06/11/04
loghbfg.dll 06/11/04
winhlf.dll 06/11/04
winbmjc 06/11/04

All of the above can also be found in c:\windows\system, where they appear as empty notepad files, so I don't know if they are the baddies.

I renamed the kbdijle.dll to kbdijle.bob and ran Ad-aware but it showed nothing, just 29 running processes instead of the usual 32. I'm a bit worried about renaming things that begin with win or log!

CWShredder doesn't show anything and Spybot S&D shows something called DSO exploit and something in German but says it has fixed them each time. I've tried to get updates for Spybot but it has said there aren't any for the past week or so.

I have run HJT but I wouldn't know a suspicious file if it jumped up and slapped me in the face - not very computer savvy!
Any help appreciated

#17 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 06 July 2004 - 06:59 PM

fugesi:

I would try Rubber Ducky's fix Here. Otherwise, I would post a new thread and write down what you have done with a Hijack This log.

#18 fugesi

fugesi

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 07 July 2004 - 05:08 AM

Thanks Fist , I'll do that. Just feel a bit bad going back again and wasting more peoples' time when I thought I'd got rid of it completely!

#19 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 10 July 2004 - 07:06 AM

Its been a week and a half and still no sign of About:Blank - the sp.html variety returning!

#20 girlie

girlie

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 July 2004 - 03:21 AM

Hi Fist,
I was feeling so outta options, I thought I'd probably have to wipe out my hd, then I saw BobO's post and thanks to you for posting there that you'd written it up for ME, I am now hopeful I can get rid of this junk once and for all... Btw, I searched for wmplayer.exe.bak even tho it still functions and I have it with the date and all... I got infected last Monday. And I too have the ...\cookies\[girlie]@tribalfusion[1].txt. Anyway, as excited as I am, let me 'curb my enthusiasm' ;-) and ask a couple questions to start this on the right foot...

1. Bobo said to "turn off the system restore", I thought that means to check the "disable system restore"...but then you say to UNcheck the "disable system restore", that would enable "system restore" wouldn't it? I'm confused! Wanna do it the right way.

and 2. right now, everytime I run ad-aware, after it finds and quarantines, it seems like it can't delete. I get a window titled "Anwendungsfehler" !! and it says
"Exception EFCreateError in Modul AAWHELPER.DLL bei 000CEC2"
Any idea what this is or if it's related to the CWS? or how I could fix Ad-Aware before I unplug and go for the booger?

Thanks a bunch Fist

Edited by girlie, 22 July 2004 - 03:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button