Jump to content


This is *the Solution* to *recurring* about:blank!

  • Please log in to reply
7 replies to this topic

#1 JustPassingBy



  • New Member
  • Pip
  • 2 posts

Posted 02 July 2004 - 07:33 PM

Basically, follow the instruction at http://www.akadia.co...lank_virus.html

That's it! Well, almost... Here is my story. If you are in a rush, start reading at point 12 :-)

1) The classic problem - Homepage was changed to a search page and pop-ups kept appearing to urge me to purchase Spyware removal software. Panda software describe this virus as StartPage.FH

For screen shots of the problem take a look at http://www.pandasoft...x?idvirus=48563

2) Running http://www.pandasoft...n_principal.htm identifies the existence of StartPage.FH and removes it. Incidentally, Trend Micro's on-line scanner at http://housecall.tre.../start_corp.asp was just crashing Internet explorer!

3) After removal with Panda ActiveScan all seemed well for about 24 hours - then the virus reappeared.

4) StartPage.FH appeared to be triggered by the creation of a random named Browser Helper Object DLL. BHODemon V2.0 is good for spotting these as soon as created.

5) Downloaded all sorts of great programs I saw dicussed on this site HijackThis, CWShredder, BDODemon, Ad-Aware... but still I was stuck with 24hr recurrence (after cleaning with Panda ActiveScan).

6) By this stage I had determined that it was definitely iexplore.exe and its associated dlls that were triggering the reinstallation of StartPage.FH

7) So, went to www.sysinternals and downloaded regmon and filemon - great utilities BTW!

8) Rebooted; started regmon and filemon; Opened and closed internet explorer; paused regmon and filemon capture; reviewed regmon and filemon for activity during opening and closing Internet Explorer.

9) Spotted a regmon entry for a strange dll:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
SUCCESS "C:\WINDOWS\System32\resegeh.dll"

BTW, I assume that this dll name is again random??

10) Went looking for this DLL in System32 - it wasn't there! :gasp:

11) So I thought let create a dummy file of that name in the same folder - but I couldn't - Error message "A file of that name already exists!" :gasp:

12) Search the web for "hidden dll virus" - all of a sudden we are getting there fast! Take a look at this link:


13) Lots of other references to dllfix.exe as possible fix, but the author has currently removed this file while he fixes some bugs.

14) So followed the manual removal as per the akadia link.

15) Note, you do need the Registrar Lite registry editor - in regedit you can't see the value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\

16) As per Akadia link I installed the recovery console off the XP CD, but Windows wouldn't then start in recovery mode - it blue screened!

17) So, had to run the recovery console directly from the XP CD. Not a problem, just boot from the XP CD and after it's loaded up all it's drivers you will have the option of "Press R to repair via recovery console"

18) Other than that. Just follow the Akadia instructions to the letter!

19) Just to be tidy, do a final cleanup by running CWShredder.

So, this is a nasty one indeed!

The hidden dll is running all the time and seems to:

1) Crash Trend Micro's House call scanner.
2) Hide the value for the AppInit_DLLs in regedit
3) Hide the dll itself (even if you have all your setting at "Show hidden files")!
4) Prevent running (or maybe corrupts the installation) of the recovery console - so forced to run it from the CD.

BTW, I am convinced that I did not "run" anything to get this virus - I am suspicious that this virus got on my PC from the current high profile holes in Internet Explorer - what do others reckon?

Anyway, I hope this helps all the others out there who are also struggling with this nasty hijack - take a look at Panda Software's virus stats for StartPage.FH. At the moment it represents about 3% of all viruses found at by ActiveScan. Yet the graphs show the StartPage.FH barely featured until about mid-June!

BTW, I suggest you run Active Scan to remove StartPage.FH first, before embarking on the hidden dll removal procedure! In case it's not clear from the above - It's not removing StartPage.FH that's the problem, but removing the *hidden* dll that keeps reinstalling it!

Oh, and thank you Akadia!

Edited by JustPassingBy, 02 July 2004 - 07:56 PM.

#2 wizzahd



  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 08:39 PM

ah, so the AppInit_DLLs value was hidden, not blank? crazy.

anyway, I received mine from a mysterious .chm file that was in my root folder. I had gotten up to go to the bathroom and a blank page had opened in IE that I most definitely did not navigate to. anyway, after messing with the source, I figured out that somehow this .chm (which is a microsoft compiled html help file, by the way) had come from the site on my screen. so naturally, I opened it thinking that no harm could come from HTML and images. then the damn ADODB vulnerability reared it's nasty face and filled my computer with coolwebsearch variants. and that brings us to sometime last week, tearing my hair out like the rest of us.

maybe that will help someone out.

#3 joeb



  • Full Member
  • Pip
  • 31 posts

Posted 05 July 2004 - 12:01 PM

please help me, i followed this procedure and found this: C:\WINNT\system32\resnhmj.dll as a hiddem dll, but when i use the Windows Recovery Console in my windows 2000 it will only let me go into the c:\winnt folder not into c:\winnt\system32 folder to find and rename this then to delete its value in the registrar lite program, so how do i get to this file? I tried changeing security settings but i cant get the local security settings to open for me to change this to allow viewing and changing of all file folders becasue i get this message when i try to allow me to access the security option tabs: "Windows cannot open the local policy database. The database you are attempting to open does not exist.", get me, im not sure why this is not working either, but i need to know how to look in the system32 folder and rename the evil/corrupted file and then delete it, how do i get into looking for it in Windows Recovery Console when i cant search the dir/ of anything other than winnt/ folder? Any help is appreciated. If i can get into c:\winnt\system32 thru the Windows Recovery Console then i can rename the file and then delete it, it will not go away by just deleting resnhmj.dll the AppInit_DLLs and delete the value. I need access to system32 folder where this file is hidden even though i checked under my computer/view/files and folders/ show hidden files and folders, any ideas fellas, i know im close to fixing the last remnant of this about:blank plague

#4 cnm


    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 05 July 2004 - 12:15 PM

Please read the pinned topics in this forum.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here

#5 joeb



  • Full Member
  • Pip
  • 31 posts

Posted 05 July 2004 - 12:21 PM

i did, im trying to get to the corrupt file which i found as "hidden" dll file but i can not get into c:\winnt\system32, only c:\winnt, therefore i cant get to the hidden file as its in system32, the windows 2000 Windows Recovery Console as by default only allows access to the c:\winnt folder unless, i repeat unless you change the local security settings in the control panel-admin tools-local security policy-local polocies-security options, this is where i get a message saying "Windows cannot open the local policy database. The database you are attempting to open does not exist." but unless i canget into this and change the setting i cant get into system32, get me, please if you dont understand what i need please be more descriptive not brief

#6 joeb



  • Full Member
  • Pip
  • 31 posts

Posted 06 July 2004 - 03:31 PM

ok i have reinstalled windows 2000 and installed windows into a "windows" named folder and not the regular default "winnt" named folder. This was done to isolate the bad file. Turns out the file is 57,344 kb like all have said too. I can go into my old "winnt\system32" folder now and find the file, its not hidden anymore due to the folder not being used for windows since i am running windows out of the new "windows" named folder i created. So since the file is now not hidden, called resnhmj.dii, i was able to rename it to about_blank or any other name but i can not delete it, i can not delete the "winnt\system32" folder either, i also dumped for a test every file into my recycling bin from the old "winnt\system32" folder and it lets me delete every file except 1, guess... right the resnhmj.dii (renamed about_blank). So im stuck, windows runs perfect now, i get no popups or homepage hijacks but i still would like to dump this damm piece of crap file. I try to delete it and i get the message "cannot delete about_blank: Access is denied. The source file may be in use" also then i try to change its attributes from "read only" to uncheck that but when i hit apply i get an error message "An error occurred applying attributes to the file C:system32\about_blank Access is denied. I put the file on my C drive and it sits inside a system32 folder that came from the old winnt windows folder so you follow me. So basically i can change the files name, see its properties, but i cant delete it or change its attributes, so know what or how to delete this thing? Also i tried looking at the file thru the Windows Recovery Console but when i go to the folder its inside i get a "denied access" message so i cant access or vies this file or delete it from the recovery console. So i got it isolated but how to kill it off my system? Should i try to change system security settings now under local security properties in the control panel? please guys im so close to fixing this for good now, well at least to i stumble across it again surfing the web... thanks for any ideas to delete the folder and 1 file inside.

#7 beatsntoons



  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 04:34 PM

Thanks for the good work JustPassingBy! I've created a topic around here detailing the same problem I had.. however, would you know how I'd try your solution with WindowsXP? I don't have access to a CD for my OS because it came pre-installed on my laptop.
I've found one of the bad .dll files - (C:\Windows\system32\glh.dll), but I'm kinda stuck at this point!
Also, reglite doesn't seem to show me any hidden values via Akadia's method.


Edited by beatsntoons, 06 July 2004 - 04:35 PM.

#8 joeb



  • Full Member
  • Pip
  • 31 posts

Posted 06 July 2004 - 05:30 PM

ITS DONE !!! well i went with my gut on this one, i figured out how to get access and control over my files then i changed this bad files attributes and then it allowed me to delete it and the folder and then i deleted it from the recycling bin... I first went into start-settings-control panel-administrative tools-local security policy-local policies-security options-and changed both recovery console options to enable from disable(this allows access and floppy copy to all drives and all folders, then i went into the bad file i had named about_blank and went into properties-security-advanced-owner which was my name and then i changed myself to owner of the file, which i am the current administrator anyhow. Then clicked apply, then ok, then went into permissions under my name which now say "allow" and "full control" then went into changing all permissions to allow a checkmark in "full control,modify,read &execute,list folder contents,read, write and allow inheritable permissions from parent to propagate to this object all checkmarked to allow me permission. Then of course rebooted after applying the new settings, then came back into the folder and deleted the file 1st, then the folder 2nd then looked in the recycle bin to see if it went there and it did,then emptied it all out, then rebooted, then looked and it was all gone for good. then ran a search to make sure it was gone and it was, i do believe i am one of only a few now who totally got rid of this about:blank cool web search virus but i had to reinstall windows into another folder other then "winnt" and do alot of copy and pasting and then updating of all my programs but it took less than 3 hours or so and i got all the old windows 2000 files and viruses deleted, i think im free, thanks for the help but in the end i did it myself

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button