• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
RubbeR DuckY

About:blank http://res fix works !!!

254 posts in this topic

I did this scan in safe mode.

Buster says I have over 2000 items scanned.

Is that how many files need to be removed?

Will it remove files I need?

Do I need to click yes every time buster promps to close IE.

Until I reach 100%?

Thanks

Share this post


Link to post
Share on other sites

smnitro1

 

Hey..

Buster says I have over 2000 items scanned. Is that how many files need to be removed?

 

No... that is how many files are in your Windows and System folder.

 

Will it remove files I need?

 

No... It will simply remove files associated with this trojan.

 

Do I need to click yes every time buster promps to close IE.

Until I reach 100%?

 

No... You can always click No :p ... To not have as many errors reboot into safe mode and run Buster.

Share this post


Link to post
Share on other sites

:grrr: NNNNNNNNNNNNNNOOOOOOOOOOOOOOOOOOO!!!!! :alarm:

:grrr:

 

OK, This is still in my computer About:blank won't LEAVE ME ALONE! Come on this is so annoying why can't I get it out of my computer? :(

I am with Windows 2000, I did everything Rubber Ducky I booted in safe mood and used about buster 3.1 the latest version, now the crap is back on my computer, what do I do now! :(

Share this post


Link to post
Share on other sites

Hey there ducky,

 

erm, i have the about:blank problem, i have run several programs to try and get rid of it which have not succeeded, and have now tried to run the about:buster program. The buster runs until 50% completed and then asks if it can shut down my computer to get rid a file it has found. It then shuts my computer down to a blue screen telling me that it has had to close my computer down because of potential damage to my computer.

 

Please help. I have a hijackthis log if you would like to see that.

 

thanks a lot,

 

bob

Share this post


Link to post
Share on other sites
By root cause of this.. do you mean where it was installed and how to prevent getting it... or stop it from replicating?

Hi Rubber Ducky,

 

I'm refering to the replication factor and the removal of the 'hidden' files that both JOEB and DJ BARCODE have posted 'how to find it' posts.

 

Being a simple chap I'm struggling to follow the advice on how to get rid of the hidden files that are creating the visible symptoms that about:buster, CWS shredder, ad-aware and the like CAN get rid of.

 

Is there no way that about:buster etc could be enhanced to search for the hidden files too and get rid of them as well ? That way, the visible symptoms opf the problem won't reoccur. i.e. prevention rather than cure ?

 

Cheers again for all your help.

 

Joeb/DJ barcode - are you able to 'publish' a step by step 'idiots guide' on here to remove the hidden files ?

 

Cheers all,

MArtin

Share this post


Link to post
Share on other sites

Hey there.. im sorry i cant tell you what files to delete. They are all random filenames and posting on how to find them would mean a few 100 pages to recognize which program is bad. About:Buster DOES search hidden files.. apparently its missing something. If you find a file that its missing please send a copy of the file.

 

skiptracerbob - when it asks to shut down say no... then boot into safe mode and run it again.

Share this post


Link to post
Share on other sites
After reading through this thread, I was able to finally remove the file that was causing the repeated reinfection - mostly from the posts of joeb. I have a copy (don't know how it got there ;)) of NTFSPRO - an application that allows you to read and write NTFS partitions from DOS. I have it burned onto a bootable CD. The file that was causing my problems was C:\Windows\System32\ctlndio.dll. Like joeb, I was unable to see the file at all from Windows, Windows in Safe Mode, or a DOS box. Once I booted the machine from the CD, I was able to see the file. Then I could rename it and delete it.

 

Hi DJ Barcode,

 

I've downloaded and installed NFTSDOS Professional. I started to run it and follow the boot disk wizard but not knowing enough about PCs and how they work I started to get cold feet when it started asking me for 'system file location' and the like.

 

Would you be able to post some laymans step by step instructions on how to use NFTSDOS Pro so that I can be confident that I'm not about to move/touch (etc) any system files that could mess my PC up for good (knowing my bad luck !!)

 

I don't even know what NFTS means so I need spoon feeding !

 

Cheers if you can help.

Martin

Share this post


Link to post
Share on other sites
Hey there.. im sorry i cant tell you what files to delete. They are all random filenames and posting on how to find them would mean a few 100 pages to recognize which program is bad. About:Buster DOES search hidden files.. apparently its missing something. If you find a file that its missing please send a copy of the file.

 

skiptracerbob - when it asks to shut down say no... then boot into safe mode and run it again.

Hi Rubber Ducky - thanks for the reply. Hopefully I'll get somewhere with this NFTS 'hidden file tool'....

cheers,

Martin

Share this post


Link to post
Share on other sites

hi,

 

at the risk of sounding like a retard, how do i get it into safe mode?

 

Ive got xp professional, and any attempts to get my computer into safe mode have not worked so far. Ive gone to the configuration menu by pressing F8 as it boots up but have not been able to find anything of help.

 

Your help is much appreciated,

 

bob

Share this post


Link to post
Share on other sites

Ok when you tap F8 during boot a menu popsup. The thing that is selected is boot windows normally. Press the up and down arrow keys to get up to Boot Into Safe mode. Then hit enter.

Share this post


Link to post
Share on other sites

:grrr: here is my log from hijack this, any help is appreciated, I have tried quiet a few programs but it keeps reverting to res//

Logfile of HijackThis v1.97.7

Scan saved at 3:55:28 AM, on 7/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\NMSSvc.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\System32\svchost.exe

C:\WINNT\netsq32.exe

C:\Program Files\NetZero\exec.exe

C:\Program Files\NetZero\exec.exe

C:\WINNT\system32\d3rp32.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wqtue.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wqtue.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wqtue.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wqtue.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wqtue.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\wqtue.dll/sp.html#28129

O2 - BHO: (no name) - {74C7113B-BBFB-3956-1721-47A7E10DA6FB} - C:\WINNT\system32\winpr.dll

O4 - HKLM\..\Run: [services Process] C:\WINNT\system32\config\services.exe

O4 - HKLM\..\Run: [d3rp32.exe] C:\WINNT\system32\d3rp32.exe

O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun

O17 - HKLM\System\CCS\Services\Tcpip\..\{F5E854EA-5F42-418C-95CE-AA4056F706AF}: NameServer = 64.136.28.120 64.136.28.133

Share this post


Link to post
Share on other sites

Had the about blank problem for a month. I had tried everything to permanantly rid my PC of this pest. Two days ago I tried the sphjfix and WOOHOO it worked! Sure was alot easier than the instructions I was reading for removing the hidden DLL file.

Share this post


Link to post
Share on other sites
come on Rubberducky I get run time error 53.Do you have a solution or not.Or is it tohardto answer.

Might be :p

Can you please give me a full description of the error.. like write it down somewhere. Then type it up here.. thank you :D

Share this post


Link to post
Share on other sites

This didnt help remove that about:blank. I really want that removed. Can anyone tell me how I can get it removed? I even went in Safe Mode to try and remove it. That didnt work either. :( Can anyone tell me how I can remove it?

Edited by TheDeadPhenom

Share this post


Link to post
Share on other sites

Hi RubbeR DuckY,

 

I'll send you the .dll files I have. I recall seeing an email addr somewhere, but I can't find it anymore. Where do you want it?

 

S.

Share this post


Link to post
Share on other sites

I got it off for only about 1h and then it came back, about:blank I mean.

I booted safe mode, scanned with AboutBuster and HijacThis.

Share this post


Link to post
Share on other sites
Would you be able to post some laymans step by step instructions on how to use NFTSDOS Pro so that I can be confident that I'm not about to move/touch (etc) any system files that could mess my PC up for good (knowing my bad luck !!)

 

I don't even know what NFTS means so I need spoon feeding !

I do not lay claim to the discovery of all this information. Much of it is credited to joeb.

 

First, get yourself a copy of Registrar Lite (reglite). This is what you'll use to find what file you need to delete. In Registrar Lite, browse to HKLM\Software\Windows NT\CurrentVersion\Windows. There you will see a value named "AppInit_DLLs". Note the filename stored in it - that's your bug! :p Delete this value in Registrar Lite. FYI, you can NOT see this in the registry editor (regedit.exe) that comes with the OS.

 

Just for s&$%s 'n' giggles, you can *try* to open your C:\Windows\System32 (or C:\WINNT\System32, if you're using Win2K) and look for that dll file. You won't find it. I don't know how those scumbags did it but the file is totally hidden from view. You can't see it, delete it, overwrite it, or rename it even if you're a local administrator viewing all files including hidden and system files. :weee:

 

Now let's get rid of it. Boot your machine from a DOS boot disk. You can download a simple Windows98 boot disk image from bootdisk.com. I don't know much about this "Boot Disk Wizard" you were talking about (I assume it came with NTFSPRO), but it will probably work. Mount the NTFS (New Technology File System, BTW) partition using NTFSPRO (I believe you simply type "NTFSPRO" at the command line - I can't remember because I made a boot CD a long time ago that performs all these commands for me). Now, type "cd C:\Windows\System32" (or "cd C:\WINNT\System32" if you've got Win2K). Now you'll be able to see the file if you type "dir <the filename from Registrar Lite>". To double-check, the filesize of the bug will be 57344 bytes (unless the scumbags have a new version out there). For some reason, you need to rename it before you can delete it ("rename <filename> deleteme.dll" then "delete deleteme.dll").

 

Reboot Windows normally and you should be clean. Wouldn't hurt to run Ad-Aware/SBS&D/HJT/CWShedder etc. again just to get rid of anything the bug left behind.

 

Let me finish by saying that this is the nastiest bug I've ever seen in all my years of computer experience. NAV doesn't detect it (I assume because it's really not a virus in that it does not replicate - though it technically is a Trojan), and Ad-Aware/SBS&D/HJT/CWShedder/et al. relieve the symptoms but fail to remove the problem. I know that About:Buster worked for many people, but it would not remove the infection from my computer as I apparently had a strain of the CWS Trojan that it doesn't handle (yet). I hope that someone (Ducky?) can write something that will eradicate this plague from the face of the Earth once and for all.

Edited by DJ Barcode

Share this post


Link to post
Share on other sites

For those having trouble figuring out which .dll is the hidden monster. I think a program I am using, called WinPatrol, think its www.winpatrol.com or Scotty the Watchdog or something, lol. Well its like a monitoring tool, and the .dll that loves to rename itself and change and what not, WinPatrol keeps recognizing it, and confirms with me first, to see whether I want this unwanted .dll to be installed/accepted.

 

So, in other words, this seem to find the .dll that keeps trying to force its way on your computer every reboot, should help in finding the bad one, only problem is it keeps trying to install itself every 5 mins or so :grrr:

 

Good luck

Share this post


Link to post
Share on other sites
... Boot your machine from a DOS boot disk.  You can download a simple Windows98 boot disk image from bootdisk.com.  I don't know much about this "Boot Disk Wizard" you were talking about (I assume it came with NTFSPRO), but it will probably work.  Mount the NTFS (New Technology File System, BTW) partition using NTFSPRO (I believe you simply type "NTFSPRO" at the command line - I can't remember because I made a boot CD a long time ago that performs all these commands for me).  Now, type "cd C:\Windows\System32" (or "cd C:\WINNT\System32" if you've got Win2K).  Now you'll be able to see the file if you type "dir <the filename from Registrar Lite>".  To double-check, the filesize of the bug will be 57344 bytes (unless the scumbags have a new version out there).  For some reason, you need to rename it before you can delete it ("rename <filename> deleteme.dll" then "delete deleteme.dll").

 

Reboot Windows normally and you should be clean.  Wouldn't hurt to run Ad-Aware/SBS&D/HJT/CWShedder etc. again just to get rid of anything the bug left behind.

DJ Barcode,

 

Nice going! This seems to be the WinXP-version of the fix I described for Win 98, but not having a WinXP machine, I had no way of figuring out how to access an NTFS disk from a DOS prompt.

 

One question: do you need to use the shareware NTFSPRO software or will the freeware NTFSDOS program work just as well on a stand-alone machine?

 

thanks!

Share this post


Link to post
Share on other sites

I just used AboutBuster.... too early to tell if it was a permanent fix, but I have a question.

 

After using AboutBuster, Spybot informed me that my home and search pages were changed to google. Of course I denied these changes. I just wanted to know if those changes were part of the program?

Share this post


Link to post
Share on other sites

First off Dj BarCode.. this is not the place to post that information. This thread mainly centers around the res://, secure.html, and the very much older version of sp.html. If anybody is having problems please start a new post. Another thing.. yes About:Buster does change the page to google.com.. i didnt know what other site i should set it to. And if i left it alone it would be very hard to see if you are still infected or not because the entries would be there. Best thing to do after running About:Buster..

 

1) Open Internet explorer

2) Goto Tools

3) Press Reset web Settings

 

If you cant find step 3 that is because your Internet Explorer homepage is set to factory default.

 

Hope this has helped a few :wave:

Share this post


Link to post
Share on other sites

Don't know if this helps find the offending .DLL, but my system was infected, the name of the offending .DLL was taken from the first folder in the root directory.

 

 

My first folder was called AAP, the offending .DLL called itself AAPxxxx.DLL, and was appropriately dated the same date as when the trouble started.

 

I just used hi-jack this to delete this and the other suspect files. So far, so good :D

 

Also a big thanks to all those who contributed to the fix of this scumbag ware, your efforts are appreciated by many thousands of people. :thumbsup:

 

cheers

Dave

Share this post


Link to post
Share on other sites

I am attempting to remove about:blank from my sisters computer using the about:buster program.

 

But, I am having a problem actually opening the program.

 

When I try and open the application, it automatically triggers the Microsoft Office XP Professional Install and requests the CD for the software...

 

I click 'cancel', and then I receive an error for Office, and then a runtime 7 error from about:buster.

 

 

Any ideas on why this is happening???

 

Thanks

Share this post


Link to post
Share on other sites

Hey Rubber Ducky, why dont me you and Bob O, get together on the phone... I think we can put a simple step by step solution to this problem for the rest. I was away for a bit sorry I didnt answer anyone also. If you want me to I can call you or you can call me, I remember everything I did to get rid of the hidden dll file that is basically the route cause of my about:blank res. variant. I have my origional hijack this report too so we can see which version i fixed but i will guess doing what i did will find all varients that hide as 57344 bytes. I am still free of about:blank also after 3 plus weeks now too. I am no pro, i am not good at describing all computer processes/terms so maybe if we talk you can take my info and relate it to the rest here or even put it into your program, cause i am good at remembering and going thru the operating systems of computers. I do beleve i have the fix for the hidden dll strain of this virus. Email me at and let me know its you and set up a time to talk, id like to help the rest here because the more i read the more i realize 50percent can have sucesss with your program and the rest have something like i had and knowing what i went thru it will be like 1-2 months till they understand what they got and go thru all i did to solve it. I think if i talk to you you can put my exact ideas to words in a few paragraphs since im overly detailed when i think and i do not want to confuse anyone. Ill check my mail today, later Joe

Edited by cnm

Share this post


Link to post
Share on other sites

Ok new version is out (1.32).

 

I got rid of those annoying popups asking to end explorer.exe. Instead it will ask in the beginning and automatically do it for each file.

 

Also About:Buster scans a second time automatically.

 

Id just like to thank everyone for the support. I really appreciate it, its not been easy updating this program. And im sure its hard for ya to keep up with the updates.

 

Please wait a while before downloading.

Sites that are hosting the new version currently. (that i am aware of)

 

Zerosrealm

Atribune

Subratam

Malwarebytes

 

I am contacting Majorgeeks.com as we speak.

Share this post


Link to post
Share on other sites

Didnt work (but then again nothing else in the last 2 months)

 

I get: Runtime problem '53'

 

any ideas why?

Share this post


Link to post
Share on other sites

It worked! It worked! I was on the verge of reimaging a system when I figured we had nothing to lose in trying one more tool.

 

It didn't set the default page back to google but after manually setting the home page and restarting the system to be sure it stayed on the home page we set. Thank you so much for your efforts. :bounce:

Share this post


Link to post
Share on other sites

Many of you may think that the new variant is causing a 'random' service to be started. Well its not as random as you think.. it only looks like it. Take a look at these service exports from various logs.

 

NETWORK SECURITY SERVICE: ½O.#ž‚„?õØ´â

C:\WINDOWS\system32\netya.exe /s

 

REMOTE PROCEDURE CALL (RPC) HELPER: ½O.#ž‚„?õØ´â

C:\WINDOWS\mfcrp.exe /s

 

Take a look that the ending " ½O.#ž‚„?õØ´â " is the same in both. I will get on this update right away.

 

 

Also note: This discussion will continue to be pinned at http://www.malwarebytes.biz/forums/index.php?showforum=5. Please see the top pinned post there, called

About:Buster, fixes http://res Hijack, Proper use

 

Version and database information will be posted here at SpywareInfo in Pinned: About:Buster, fixes http://res Hijack

Edited by cnm

Share this post


Link to post
Share on other sites

It worked for me....thanks Rubber Ducky!! :D

 

However, it did not fix the "Shell.dll" problem....what is meant by the "the update after it..."? :wtf:

Share this post


Link to post
Share on other sites

THANK YOU, THANK YOU, THANK YOU! Just ran AboutBuster in Safe Mode. Rebooted. GONE! If it remains gone 30 days from now, a nice $$$$ is coming your way.

 

J

Share this post


Link to post
Share on other sites

About:Buster was updated to version 1.5. It removes more files and removes the so called 'random' service name. Please download it from all the links except Atribune.org.

 

Have fun with it :evilgrin:

Share this post


Link to post
Share on other sites

Ok.. I released the final program version.. About:Buster 2.0.

I will probably not update the program anymore.. therefore i added a database to it.

 

First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it sais it found an update hit Download Updates. If it doesnt it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot.

 

Once rebooted run About:Buster once more to make sure everything is ok.

The database will be updated very frequently so check your versions once a day.

Share this post


Link to post
Share on other sites

Could be your running the program from your a zipped folder. Make sure your running it from something like C:\Buster\ and you have the following files in that location.

  • AboutBuster.exe
  • Readme.txt
  • reflist.dll

Share this post


Link to post
Share on other sites

I ran it from desktop. Why the problem, no one else seems to have it???????????????????????????

Share this post


Link to post
Share on other sites

I want to thank RubberDucky for the excellent work done on about:buster. I had to download the Visual Basic runtime files. Then I had to download the mscomctl.ocx file which I found at Majorgeeks.com. Finally I was able to download and run about:buster.

It seems to have gotten rid of this stinking bug. I would have never do it with out your help. Thank you!

Share this post


Link to post
Share on other sites

I did get error 53. Then I downloaded again but not onto my desktop, instead under C: . About:blaster worked!!!! Unfortunately it didnt cure my problem. It still exists.

Share this post


Link to post
Share on other sites

When i open about buster, I hit ok and it tries to configure microsoft office 200 pro and asks for the cd. I don't have the cd so when i cancel it comes up with a runtime error 7 out of memory. y is it trying to configure offie 2000 pro?

Share this post


Link to post
Share on other sites

Question, if I may. I hope it's ok to post this question here as it's been the thread I follow for updates on AboutBuster.

 

We're trying to remove this variant here:

http://www.dslreports.com/forum/remark,10997143~mode=flat

 

I've been using AboutBuster with good results so far, but I'm seeing something new it can't remove after 3 scans in that thread. What service keys do you think it is going after and can't remove? What are Service Key 4 and Service Key 6??

 

Has anyone else had this result?

 

-- Scan 1 --------

About:Buster Version 2.11

Reference List : 11

 

Removed 1 Random Key Entries

Failed to Delete Service Key 4

Failed to Delete Service Key 6

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 2.11

Reference List : 11

 

Removed 1 Random Key Entries

Failed to Delete Service Key 4

Failed to Delete Service Key 6

Attempted Clean Of Temp folder.

Pages Reset... Done!

Share this post


Link to post
Share on other sites

i get that same failure to delete service keys. mine are 4 and 5.

 

something tells me that that is the root of my problem. i've done everything possible to rid myself of this homepage hijacking, but each time i get rid of everything, it somehow comes back.

Share this post


Link to post
Share on other sites

I just found out that v3.0 was released today.

 

 

Released AboutBuster 3.0 as of today. Even if you WERE infected and arent anymore im sure this will find something. Note: CWS started using Alternate Data Streams which i took 12 hours of my life to remove through code. So you better like it.  .

 

If you were using version 2.xx or 1.xx and it didnt work, try this. If it still doesnt work please start a new topic.

 

http://www.malwarebytes.biz/forums/index.p...owtopic=188&hl=

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0