Jump to content


Photo

About:blank http://res fix works !!!


  • This topic is locked This topic is locked
253 replies to this topic

#101 shovel

shovel

    Member

  • New Member
  • Pip
  • 1 posts

Posted 10 July 2004 - 11:28 AM

I used the "buster" and it worked great!! I did have to run it in safe mode to work but the #@%$^&# about:blank is gone!! Thanx

#102 sireel1111

sireel1111

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 12:25 PM

I will try this. I have been playing a cat and mouse game with that darn Cool Web Search. I am not sure exactly when I got it, had a trojan appear too. Downloader JL. I was surfing, got into a weird area by clicking a guestbook link. WMP innitiated without my doing so. It would not close, so I ctrl+alt+del ended task on it. Later went to watch an .avi from the weekend..... WMP was gone! So was notepad.. Notepad was there when I checked the source on a project I was working on, but it would not save the changes, showed name with underscores and in a weird place. Panda Online virus scan got rid of Downloader JL, then the hijacking started. I used Hijack this.... worked for a bit, back again. Frustration arose. Spybot did not find any of the files. Adaware did after I updated it and had it deep scan everything and tweaked more of the scanning options. Guess what? Yep, it came back. I got an updated version of Hijack this, and it worked for a bit, but now I get that error 75. The only thing left is the no name BHO. I used regedit to remove the entries shown on Hijack this, from the registry. It seemed weird to me that the tree was out to this point, nowhere near where I had left it at last look. It was open to: HKEY_current_user\software\microsoft\internet explorer\search\search properties\en-us. After removing the other entries, and all about blank entries - because I had figured out it was linked to hitting the home button or changing the home settings in IE - the log from Hijack this looks like this:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0B3B58EF-DF56-4033-BBDE-189DBE8928A9} - D:\WINDOWS\System32\elldk.dll (file missing)

I can not remove the BHO, that is why I will try the program you suggested, the about buster program.

I noticed that the cool web search had a file constantly appear in the temp folder, called sp.html. I opened the source on it and scanned through. All links were a java script that works when online I guess, the only address I found was this.
http://oz.msie.tv
It had a search engine in the middle of a blue page, said the best in the world. Under was a link that stated, Remove software. I, stupidly, downloaded that and used it. It made it appear it was gone, but probably helped keep it going. It is probably not a good idea to use it.

Whoa, I was just looking through logs and screenshots to see if there was anything else pertinant (pardon if spelling is off) to this, found this at the bottom of the Hijack This log.

O18 - Filter: text/html - {DEFF0219-0C03-4548-8AE3-910881D6A597} - D:\WINDOWS\System32\elldk.dll
O18 - Filter: text/plain - {DEFF0219-0C03-4548-8AE3-910881D6A597} - D:\WINDOWS\System32\elldk.dll

The .exe is not there right now though.

I am glad to find all these posts with the suggestions within, they should be a great help, and I hope maybe what I posted can help in some way.

#103 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 10 July 2004 - 12:38 PM

You have the sp.html variant of CoolWebSearch as you probably know. About:Buster can remove this variant if it is an older variant. As you described it, it is an older variant and can be removed in safe mode.

Once you get the random bho (file missing) you should be able to remove the leftovers. The bho is what initializes everything. And removing it on the res:// variant is not enough. Buster removes the rest of the files for no further reinfection... unless its from another site.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#104 IndiGenus

IndiGenus

    Advanced Member

  • Full Member
  • PipPipPip
  • 105 posts

Posted 11 July 2004 - 08:14 AM

RubbeR DuckY....please help! I get the following error as soon as I hit the start key to run About : Buster:

Run time error '339':
Component 'MsComCtl.ocx' or one of it's dependencies not correctly registered: a file is missing or invalid

I'm running version 1.27 and have downloaded the VB runtime files from the link you provided above. If you need any other system info. let me know. I'm running XP home also. Thanks in advance for any help.

Dave

#105 alltooroman

alltooroman

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 09:17 AM

davmo63,

I think you're all set. Type that file into either google or yahoo and either should pull up a website that will help you with your xp updates to get you back on track. I have same problem, but I have windows me, so its a little more complicated. still sitting here in limbo. best of luck

#106 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 11 July 2004 - 11:25 AM

RubbeR DuckY....please help! I get the following error as soon as I hit the start key to run About : Buster:

Run time error '339':
Component 'MsComCtl.ocx' or one of it's dependencies not correctly registered: a file is missing or invalid

For missing MSCOMCTL.OCX, download and run this program from Javacool Software. http://www.spywarein...ngfilesetup.exe

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#107 alltooroman

alltooroman

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 01:32 PM

Rubber Ducky and CNM, Many thanks!!! My browser is free and so am I! Free from about:blank. The advice and programs you gave me could have cost me a fortune and with no resolution to the matter. I am making a donation to the spirit that you help people and fight internet evil. Thank you so much.

#108 gaknutson

gaknutson

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 11 July 2004 - 01:57 PM

Rubber Ducky, or whomever can help -

I have the about:blank virus, and have been following this thread. I had downloaded and used Hijack This, CWShredder, aboutbuster, Spyware Blaster and have used Adaware for some time. I can find and get rid of the nasty System32 dll, and the registry changes, and have done this in safe mode as well as regular mode.

The about:blank browser snatcher still comes back.

I now use the Mozilla-Firefox brower instead of Explorer, but I would like to get this thing off my computer for good. Can you help? What more need I do?

Thanks -

Gary

#109 alltooroman

alltooroman

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 02:20 PM

gaknutson, you came to the right place. I am a mere amateur, but follwing this forum's advice helped free me of what you're going through now. A page or two back on this forum is the latest aboutbuster, 1.27, download that. Plus, go the lavasoft webiste and download adware 6.0. Shut pc down, restart in safe mode by tapping f8 key. In safe mode, run adware first, fix problems, then hijackthis and remove anything that has the word aboutblank in it. There should be about 2 r0's with it and one more floating line after that. Then remove all bho without a name. hit fix and now run aboutbuster twice. This is what did it for me. The damn aboutblank dug itself into your pc and, I think, reproduced and recoded itself as an orignal software program, meaning all the latest spyware software won't pick up the registry keys. its got to be the worst case of sabotage I've ever dealt with. Good luck

Edited by alltooroman, 11 July 2004 - 02:21 PM.


#110 gaknutson

gaknutson

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 11 July 2004 - 02:41 PM

Thanks alltooroman, but I have done this. Twice. Stays away for a while, then comes back.

Gary

#111 smiley

smiley

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 11 July 2004 - 03:33 PM

Hi RubbeR DuckY and everyone else,

I ran the latest version 1.27 of About:Buster and got the following error msg:
-- Scan 1 --------
About:Buster Version 1.27
Error Removing! : C:\WINDOWS\SYSTEM\ekilc.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

I think I probably have the sp.html version of the hijacker. You said in an earlier post that you need 'files' to get About:Buster to work, what sort of files do you need?

Thanks.

S.

#112 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 11 July 2004 - 03:46 PM

C:\WINDOWS\SYSTEM\ekilc.dll That file definetely. Also if you e-mail me i will give you directions on something else.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#113 smiley

smiley

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 11 July 2004 - 04:15 PM

Ooops RubbeR DuckY,

After posting the message I went through some steps suggested by one of the posts in this thread:
1) boot into safe mode
2) run latest AdAware build181 with the latest ref list. It picked up 22 'bad' objects, including that dll file.
3) ran HijackThis - only 2 R0/R1 left
4) ran About:Buster twice - log file clean.

I've rebooted a couple of times and so far so good.

As you can see I don't have the .dll file anymore. But if you can tell how to restore it I am more than willing to and get a copy to you. Just let me know how.

Thanks for your help!

S.

#114 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 11 July 2004 - 04:35 PM

Its ok.. restoring it would mean restoring the entire hijack. I have a copy of the .dll somewhere :)

Also the support forums for Buster are up and running.

www.malwarebytes.biz - Site for About:Buster
www.malwarebytes.biz/forums - Forums for About:Buster
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#115 M250

M250

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 07:06 PM

First of all, this site is fantastic. Thanks to all the 'volunteers' who post and help the victims of computer criminals.

Kudos to RubbeR DuckY for his special effort.

I also had the about:blank infection. I tried About:Buster but it was unsuccesful on the particular version of the problem I had.

I ended up fixing it manually with RegistarLite. This thing was very, very stubborn.

HighJack this is excellent. Unfortunately, I read on the developers site that he is not going to continue working on future versions due to other responsibilites. I hope someone else in the world will continue his great work.

Best of luck to everyone with this nasty problem.

M250

#116 tbankston21

tbankston21

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 09:23 PM

When trying to run the aboutbuster program, I receive the following error. Any help you can give would be greatly appreciated.

ABOUTBUSTER caused an invalid page fault in
module <unknown> at 0084:00806850.
Registers:
EAX=0047886c CS=017f EIP=00806850 EFLGS=00010246
EBX=bff94645 SS=0187 ESP=0064ebbc EBP=0064ebd4
ECX=7ffbff48 DS=0187 ESI=00438e74 FS=2bff
EDX=868ef360 ES=0187 EDI=0064f1c0 GS=0000
Bytes at CS:EIP:

Stack dump:
660de824 0047886c 6601ae28 800a005b 00438e74 0047886c 0064ebe8 660df161 00438e74 00401268 00438e74 0064ec08 660e8572 66046d38 0064f1c0 0064eda4

#117 sireel1111

sireel1111

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 12:41 AM

Okay, here is as the Cool Web Search turns...... and it's not funny, getting downright frustrating and annoying. Isn't this kind of shit illegal? If not, why not, it's invastion of privacy and basically acting like a virus now. It gets smarter as I try to get rid of it, a different thing comes up each time. I did all the stuff everyone else had tried, and what was in my last post. I then used the about buster program, did it for a bit, but Hijack This still non functional. It did come back, so I did about buster in safe mode, and Hijack this, and Adaware. Worked for a bit, it came back. Now, I did stuff and got rid of it, nothing of it showed in my system at all. I checked my e-mails. I use Juno version 5.0 for on computer e-mail writing and getting, it's kind of like Outlook in a way, it dials a number and gets the mails to the computer. A window pops up when it dials out, it has an add (that is why it is free) on it, and a status bar. I always watch the text, it showed something that I do not like, preparing outgoing messages. I had not written any, so I feel maybe there is communication through email like that. No messages came in. This was around 9:20 pm PST. I went online after that, IE opened and there was the damned search bar, not ms ie srchast like usual (the regular IE browser bar search, may have it wrong there.). It showed it was starting to connect to the correct site at first, on the status bar at the bottom of the browser, but HIJACK!! BLAM!! CWS wall. I disconnected from the Internet and ran about buster. It showed, trouble removing cipg.dll. Hmm, I thought. I went into system32 folder (which is where a lot of stuff regarding the damned CWS show up or hide) and looked at that file. It shows it was created on 7-11-2004 at 9:20pm, around the time I checked my email, may have been when I went online though. It can not be deleted. I checked the properties of it, and decided to change what it opens with. I chose notepad. It is a bunch of mumbo jumbo code stuff, except for most of the way down, where this is:


WS2_32.dll GetProcAddress HLoadLibraryA WriteProcessMemory :GetCurrentProcess {VirtualProtect "InterlockedIncrement InterlockedDecrement eMoveFileExA dMoveFileA | DeleteFileA SetFileAttributesA WritePrivateProfileStringA GetShortPathNameA GetTickCount FindClose FindFirstFileA GetSystemDirectoryA GetWindowsDirectoryA ExpandEnvironmentStringsA . CloseHandle eUnmapViewOfFile ^MapViewOfFile N CreateFileMappingA [GetFileSize M CreateFileA GetVersion uGetModuleFileNameA DisableThreadLibraryCalls GetTempPathA WideCharToMultiByte AreFileApisANSI *IsBadStringPtrA )IsBadReadPtr HeapAlloc GetProcessHeap HeapFree HeapReAlloc GetSystemTimeAsFileTime ReadFile WriteFile KERNEL32.dll RegCloseKey RegCreateKeyExA RegOpenKeyExA RegQueryValueExA RegSetValueExA RegEnumKeyExA ADVAPI32.dll UuidFromStringA UuidCreate RPCRT4.dll SHDeleteKeyA SHLWAPI.dll H@    ؆ 6 1 8 D   ( :    m.dll DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer


I checked in the folder and found all the .dll files listed here. WS2_32.dll shows it was created on 7-10-2004 at 1:19pm. I can not say for sure if I was online at that time, or what I was doing. It says it is a Microsoft corporation file, Windows socket 2.0 32 bit dll. Version 5.1.2600.1240, 69.0 KB. The KERNEL32.dll shows it was created on 8-23-2001 at 5am, it is a microsoft corporation file. A Windows NT BASE API Client DLL, 908 KB. The ADVAPI32.dll shows it to be a microsoft corporation file, created 8-23-2001 at 5am. It is an Advanced Windows 32 Base API, version 5.1.2600.1106, 545 KB. The RPCRT4.dll says it's a microsoft corporation file created 4-14-2004 at 8:04pm. It is a Remote Procedure Call Runtime, version 5.1.2600.1361 523 KB. The SHLWAPI.dll shows to be a microsoft corporation file created 1-21-2004 at 4:18pm. It is a Shell Light-Weight Utility Library, version 6.0.2800.1400 386 KB. The file shown, m.dll, can not be found on my computer.

I do not know if this information will be of any help, but maybe so. I hope so. I did notice, when I did do go to the site found in the sp.html source code - http://oz.msie.tv - and did a search, the result page that came up had a microsoft windows logo on it. The site name too, msie, like microsoft internet explorer.... This sounds pretty messed up to me. I have been in contact with my brother who debugs programs for Microsoft, maybe something can be done on that level... I have no idea, sounds like they are trying to fool people.

I have noticed that things are running slowly when they should not be, I use the performance meter and it shows my memory is being used more than what should be for applications open. At one point, my virtual memory was almost depleted, a warning came up. This has never happened before and that is when running Photoshop 7, and The Font Thing looking through 2089 fonts, and having a couple folders open in thumbnail view, folders with a few hunderd pictures and having a cd in the drive browsing it too. Let me tell you, that should have taken up more virtual memory than just having a couple folders open and using notepad, when I got the warning. I increased my virtual memory since, but still things run slow, something is running that should not be, and that pisses me off and makes me feel violated and paranoid.

This is the popup I get when the damned thing comes up as the about blank page and the search page.
Posted Image
Posted Image
Sounds to me like they are trying to sell products with this damned thing. Later all, will keep you updated. Hopefully there is a patch available or some easy fix that my brother may be able to tell me. Keep your fingers crossed, because nothing else seems to permanently work. I know I will keep my fingers crossed, I am not doing anything on my computer until it is gone, don't like it much on there, screws things up and makes me feel dirty... so unclean.... so unclean.... AAAAAAHHH!~!!!!

#118 gaijinJapan

gaijinJapan

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 12 July 2004 - 07:57 AM

Well, It's been almost a month of having this damn (Un)CoolWebSearch --- About:Blank problem.
I've got Adaware6, Latest Search and Destroy, Hijack This, CWS Shredder, the freeware version of Trojan Hunter...I got the AboutBuster...maybe I'm missing a necessary dll...?

Have done the Panda Active Scan with so so success...obviously not good enough. When I go to Trend Micro my IExplorer gets an error and shuts down.


I've had Mcaffee systems security and zonealarm firewall up since having my NEC Microsoft XP laptop purchased.


Yes I'm in Japan making due with a Japanese based system and without a lot of English on it and me without much Kanji reading ability. Yes I continue to be a computer novice while still having known a little bit about them 14 years ago...(does this make sense to anyone?)

I've gone into safe mode, deleted things I probably shouldn't have...a few times I was naive to think I had gotten ride of it...but no.

I posted here about a month ago...have followed several threads and tried several tactics and am completely and utterly at a loss...

Please Help...

I seem to be getting the same popups as the guy who posted just ahead of me. I'm guessing this isn't the about:blank res strain...

Please...

hel....
p....

Edited by gaijinJapan, 12 July 2004 - 07:59 AM.


#119 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 12 July 2004 - 11:08 AM

The update after it will fix the shell.dll problems people are having.
Have you had a chance to get to this update yet?
Thanks,
JashaC

#120 bscanlan

bscanlan

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 July 2004 - 11:25 AM

I have read through this forum and have also posted my hijackthis.log... I've followed the directions from one of the posts; booted in safe mofe, ran About:buster, CWShredder, spybot, and adaware and hijackthis... all with the latest versions. The about:blank seems to go away for a short while and then returns. I also deleted all files from my temp folders, yet the sp.html file has re-appeared. Please help me get this off my computer... what else can i do????

Edited by bscanlan, 12 July 2004 - 11:27 AM.


#121 ncc

ncc

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 July 2004 - 12:26 PM

To fix the Shell.dll problem. Do a search on the net and download a copy of the file, cut and paste it into Windows/system or system32 where ever it's missing.

#122 sireel1111

sireel1111

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 12:36 PM

Well, I have done more things, with partial success. I will not post them, for if I do it may be premature.

My brother says a bill is going through congress now that will make this type of spyware illegal. I hope it will cause it to stop. Ones that do not link to a site will probably continue, but if the spyware links to a site somehow, that gives a trace.

My brother also said that Microsoft is coming out with a program to combat this kind of thing.

Right now, I am free of the thing..... but for how long is the question. It seems to be okay for a time or two going online, then it pops up again. I cry.

BTW, a couple things I did, like Panda Active Scan, called the thing a Trojan. It creates a .dll and writes to other .dll's, look at my previouls post, maybe it will help in some developer of a program to kill it. I dunno... just hopeful.

Me.

Edited by sireel1111, 12 July 2004 - 12:38 PM.


#123 Xonox

Xonox

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 03:29 PM

.... for a couple of weeks, about:blank drives me mad.. went through the about:buster instructions and used CWShredder etc. ... it keeps coming back.. I have the feeling it returns in the morning, when I check my emails... it's a pain! .. so, I go through the same about:buster procedure over and over again... I run Spy Sweeper permanently in the background.... maybe the best solution for the time being???? .. hope they get and bust the guy that started about:blank.... hope for a permanent solution, as all of us..... bahhhhhhhh


Still, thank you very much RubbeR DuckY !!! at least, I haven't thrown out my PC yet.

Edited by Xonox, 12 July 2004 - 03:33 PM.


#124 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 12 July 2004 - 04:08 PM

Remember a) this program only removes the res:// variant.

Also when you are doing the removal there is a better success in safe mode than normal mode. I suggest everyone tries it. If you have any problems register at the Buster support forums.

www.malwarebytes.biz/forums and under malware help post the Buster log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#125 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 12 July 2004 - 04:14 PM

The update after it will fix the shell.dll problems people are having.
Have you had a chance to get to this update yet?
Thanks,
JashaC

I cannot fix this... the .dll needs to be specialized or Windows will not read it. I cannot just get my program to paste the text inside a new shell.dll. Id need to set its properties etc..

The best way is to download the file and copy it :).

Another few suggestions...

*a popup blocker
*firewall - to stop the variant from connecting

This will stall it enough for About:Buster remove it in normal mode.. if your to lazy to boot into safe mode :cool:

Also make sure you have the newest version of Buster.. (1.27) as of today.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#126 sireel1111

sireel1111

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 09:28 PM

Well, what I thought was success, turned out to be complete failure, it's back! The latest and newest version, stronger, faster, able to hide and re establish itself in an instant. gjigi.dll is the new file it created in my system32 folder.

There has to be a fix, aside from redoing the whole OS, that is a pain in the ass to say the least, but if it comes down to it, that is where I am going.

I hope that program Microsoft is working on is a patch and a kill CWS tool of sorts.

You go to hell, you go to hell and you die!

I just can't live with this in my computer, just can't.

#127 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 12 July 2004 - 09:35 PM

sireel111, Post a thread. Someone will assist you in Buster. It will remove this variant.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#128 Xonox

Xonox

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 01:54 AM

... well.. I run about:buster in normal windows mode 2 times (usually 1 dll-file cannot be delited in systems32 directory.... of course, always a different dll-name)... restart into Safe Mode.. run about:buster for 2 times, which cleans the temp-directory and deletes the dll-file.... restart in normal mode. it still keeps coming back sooner or later.

This morning, I did not check my emails but went online instead... and I got it again.. the about:blank thingy... so, it doesn't come through the email system.

Maybe I get reinfected or summin?... well, downloaded the latest about:buster version and it might get it out of my system (I used the previous version... 1.26?). Shouldn't make a difference, that I run the OS in German, right?

btw, I also run Zonealarm and Norton Anti-Virus in their latest versions. .... hope it won't come back. :scratchhead: .. fingers crossed. thanks for your help!

#129 Xonox

Xonox

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 07:23 AM

..hmpf.... still keeps coming back, even when not checking my emails and just going online... it also comes back when opening Microsoft Outlook and not checking the emails... just by simply starting the programme... but, to be honest, running about:buster every now and then and controlling the thing with Spy Sweeper to some extent is better than dealing with the pop-ups etc.

Edited by Xonox, 13 July 2004 - 10:04 AM.


#130 Crutch

Crutch

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 08:08 AM

I do not agree that Buster will remove this correctly or completely. I have run several different programs, About:buster 1.27, adaware (in safe mode configured to do the heavy dute scan as posted elsewhere), spybot s&d, cwshredder, trend onine scanner, pandan online scanner, and Norton AV. The spyware software will detect and remove cws temporarily but not permanently. The thing is still hiding somewhere that is not detected by any of them. My infection looks and behaves exactly like the one posted by sireel1111 Posted: Jul 12 2004, 12:41 AM on page 8.

On a suggestion I found in another forum, I installed Kaspersky (www.kaspersky.com) antivirus last night and let it do a full scan over night. I did not expect it to find anything since I had just run to other 3 AV's listed above and the spyware tools too and found nothing but it did something. It found 3 occurences of a trojan it called Win32.Startpage. The name had something else in it but I don't remember it right now. I had to leave for work before I got to test the system, but I am really hoping I've finally got this damn crap off. sireel1111 if you read this would you try installing that AV and see if it finds that thing on yours?

#131 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 01:02 PM

Well im sorry to hear it didnt work. But it did work for another 7,000 people. I feel if i helped at least 1 person my work is done.

I cant cover all files because i dont have enough infectors (installers). I was submitted about 3 files today which i did not have... perhaps the kinds that are installing on your system. Eventually Buster will become even more efficient.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#132 Xonox

Xonox

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 01:04 PM

Hi Crutch,

I have downloaded the software and updated it with the latest definitions.... It detected 9 trojans so far (it has scanned 75% and it is still running.. . on my main pc.. i am currently sitting on the "old" pc). .. one trojan was called "Trojan. Win32.Startpage.is" ... wonder whether this scanner will fix the problem for once and all :eek:

#133 Crutch

Crutch

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 02:15 PM

My post was not meant to sound negative against about:buster ducky. I think you have done a great job with it. I just wanted to point out that the idiots that wrote this damn malware crap are apparently updating it faster than the tools out there that remove it. It's just really frustrating to remove it and have it come right back, but I personally appreciate every effort you guys have made in the this forum and especially rubber duck for his great work. If it wasn't for you, I would probably still be infected and having my computer run at a snails pace. But hopefully I am free now, ( my fingers are crossed for when I get home).

#134 zingaling

zingaling

    Member

  • New Member
  • Pip
  • 1 posts

Posted 13 July 2004 - 02:57 PM

I'm going nuts with this, too. It comes back almost as fast as I can get rid of it. Pop-up stopper software makes it less annoying, but barely. Ducky, how do you tell which are the instaler files?

#135 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 03:16 PM

Well you really cant... except the .exes most of them are installers. Please send any files you have that are suspicious to that address. Ive mentioned it several times in this thread.

Its ok Crutch i know you didnt mean to offend me :). I wanna hurt these S*O*B's too. Version 1.28 of buster is soon to come.

By the way: Sometimes i upload About:Buster without a new version number. If i do ill post it here. :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#136 hawkdaddy

hawkdaddy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 July 2004 - 04:09 PM

:techsupport: :gasp: Not my pc,I have safe guards against those problems.Yea right!After reading your post about buster I gave it a run on my pc.Wow ! I believe I have every thing there is on my pc.None of these things showed up on my spybot or adware scans.After running buster they all appeared on there next scans.I need help in trying to rid my pc of these serious problems.HELP ME PLEASE

#137 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 04:20 PM

Hey there... Post the log either in a new post or

www.malwarebytes.biz/forums - About:Buster support site.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#138 LiuDaCriS

LiuDaCriS

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 05:01 PM

I ran the app a few times in safe mode, then spybot and adaware. The spyware homepage disappears for a while, but if i open ie and close it right away, then open it back up, the spyware reappears. Am i doing something wrong? This is the right program for the prob where you get something like res://orszb.dll/index.html#96676 as the homepage right?

#139 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 06:13 PM

Yes it is :). Have you tried buster in safe mode?
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#140 LiuDaCriS

LiuDaCriS

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 07:08 PM

First thing I did

#141 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 07:10 PM

Ooops didnt read hehe. Post a Hijack This log in a new post then post the link here. Or goto www.malwarebytes.biz/forums register and post there. Thats my forum no need to link me... its pretty much empty.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#142 Stryker

Stryker

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 07:37 PM

res://vrevr.dll/index.html#96676 is what i have for my start page, I ran your about:buster program 7 times, in safe mode also and even used hijack this and it works for like 10 mins. then the damn thing comes back, thanks alot for the program it helps, but can anyone help me fix this???? it's crazy it wont go away.

#143 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 07:47 PM

I will say this again if you are having any extra problems it can be removed. Please post a new topic or register and post it here.

www.malwarebytes.biz/forums
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#144 Stryker

Stryker

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 07:51 PM

Ok thanks rubber ducky, I did. : )

#145 ShadowFox

ShadowFox

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 13 July 2004 - 09:30 PM

I ran your program and a program called HSRemove www.hsremove.com and i still get hijacked to the res://random.dll pages with the ONLY THE BEST popups....ahhh! Im frustrated!

Why do people make these hijackers. Do they think it makes people like them or want to buy their stuff :techsupport:

Nice try at the program. Keep up the good work....however it did not solve my problem.
Help!

#146 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 13 July 2004 - 09:39 PM

Hey there post a log if your having a problem. Not here. Follow the directions i gave Stryker.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#147 soccerob

soccerob

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 July 2004 - 08:15 AM

Please help Rubber ducky.
I followed all of your directions but i still have the stupid homepage. I was wondering if my operationg system windows 2000 has anything to do with it.
Please reply soon, I need serious help i have had the problem for almost 5 months.



Please Help
Soccerob :techsupport: :bangbang: :gah:

#148 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 14 July 2004 - 01:10 PM

Its been 2 weeks now of no cool web search, about:blank, the 8 green bugs having sex, all the pop ups are gone, the homepage hijacking, the adware buying and system spyware popups to get you to buy some removal proggie..., i have the solution posted below but some are missing it, it is harder to do but fixes the c: drive. The secret is finding the system32 folder file that is 57,344 bytes, thats not easy since this program hides itself as not shown even if you turned show all folders "on", you need to do that and go into the control panel to local security settings and change what i did below then you cna see the file. Also now that you see it you wont be able to just delete it either, you need to again make sure your the system administrator and have all control over tall files and change the properties on the file like i did below, then it can be deleted. See this file spawns random other dll files that we think are the culprit, they engage when you sign onto the web after you delete the dll file that gets spawned rendomly by the 57,344 dll culprit file, this is wht needs to be removed or all other problems will return. So a simple scan of you computer for files that are 57,344 will not show this file, you need to do the steps below that i did and then it will show up, i have windows 2000 so its not the operating system, its this dll vivus thats at fault. So you can find the root cause dll and erase it(not its spawned random dll file) or you can just reinstall your winnt/ windows folder into a windows/windows named folder like i did, the problem is that the culprit file also if on your system turns off you ability to change your local security settings under security options,recovery console-allow floppy copy and access to all files and folders must be set to ENABLE not DISABLE, if you cant change this youll never be able to see or delete the 57,344 dll cause file. This program actually does disable your ability to change this setting if your infected, so i had to do what i did below, after that i could and did have the option to finally change any and all settings to enable.



ITS DONE !!! well i went with my gut on this one, i figured out how to get access and control over my files then i changed this bad files attributes and then it allowed me to delete it and the folder and then i deleted it from the recycling bin... I first went into start-settings-control panel-administrative tools-local security policy-local policies-security options-and changed both recovery console options to enable from disable(this allows access and floppy copy to all drives and all folders, then i went into the bad file i had named about_blank and went into properties-security-advanced-owner which was my name and then i changed myself to owner of the file, which i am the current administrator anyhow. Then clicked apply, then ok, then went into permissions under my name which now say "allow" and "full control" then went into changing all permissions to allow a checkmark in "full control,modify,read &execute,list folder contents,read, write and allow inheritable permissions from parent to propagate to this object all checkmarked to allow me permission. Then of course rebooted after applying the new settings, then came back into the folder and deleted the file 1st, then the folder 2nd then looked in the recycle bin to see if it went there and it did,then emptied it all out, then rebooted, then looked and it was all gone for good. then ran a search to make sure it was gone and it was, i do believe i am one of only a few now who totally got rid of this about:blank cool web search virus but i had to reinstall windows into another folder other then "winnt" and do alot of copy and pasting and then updating of all my programs but it took less than 3 hours or so and i got all the old windows 2000 files and viruses deleted, i think im free, thanks for the help but in the end i did it myself

#149 smiley

smiley

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 July 2004 - 01:11 PM

Hi RubbeR DuckY,

I have another file for you if you are interested:

lhhc.dll

Let me know if you are interested the place to send the file.

S.

#150 Starr

Starr

    Member

  • New Member
  • Pip
  • 1 posts

Posted 14 July 2004 - 01:53 PM

These hijackers should be legally prosecuted!! this about:blank spyware was the worst i've seen.

I did follow all instructions and it didn't work for me either. Then I booted up in safemode and ran the hijack this and then the aboutbuster both in safe mode.

After that BEFORE launching my browser - I made sure that the home page url in my internet options was changed to my preferred home page and not that search url that spawns all the pop ups and creates the problems.

So far so good today. I'm holding my breath, but it seems to have done the trick.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button