Jump to content


Photo

About:blank http://res fix works !!!


  • This topic is locked This topic is locked
253 replies to this topic

#151 ShadowFox

ShadowFox

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 02:19 PM

SUGGESTION:

Make it autoupdate....or at least a check for updates button on the program. This would be the most usefull feature.

#152 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 14 July 2004 - 02:47 PM

Smiley any files are useful... send em :)..

also joeb the file you are talking about deleting is for the other variant... and its not that hard using FindNfix by FreeAtLast.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#153 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 14 July 2004 - 04:18 PM

Hey there About:Buster updated with 2 more MD5's.

Note: Version number did not change ... still 1.27. So dont be misleaded where you download it from. These are the sites with the latest 1.27

My Site
Subratam's site

Atri and Zero are not available at the moment.

Atri - Not online yet
Zero - FTP not working correctly and cannot update. (do not download here)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#154 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 14 July 2004 - 06:45 PM

Ok i have a major announcment.

About:Buster version 1.3 will be up in 5 minutes..

Subratam.org
Malwarebytes.biz (Original Host)

I added about 10 MD5's thanks to a file donor.. So if you ran About:Buster run 1.3 and see if that solves your problem.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#155 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 14 July 2004 - 07:15 PM

Ok these are the variants i so far tested on... they were removed succesfully without running Ad-Aware or any other removal including Hijack this.. except for empty cleanup.


Variant One

Installer name: mfplay.exe and mfplay.dll
Hijack This entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A622D3A1-CD8A-4434-89AA-348F9E02CE60} - C:\WINDOWS\System32\mfplay.dll
O18 - Filter: text/html - {A74261A2-EABB-432F-9307-B6A75D56639C} - C:\WINDOWS\System32\mfplay.dll
O18 - Filter: text/plain - {A74261A2-EABB-432F-9307-B6A75D56639C} - C:\WINDOWS\System32\mfplay.dll

Ran About:Buster log:

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\System32\mfplay.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Log after Hijack This:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A622D3A1-CD8A-4434-89AA-348F9E02CE60} - C:\WINDOWS\System32\mfplay.dll (file missing)
O18 - Filter: text/html - {A74261A2-EABB-432F-9307-B6A75D56639C} - C:\WINDOWS\System32\mfplay.dll
O18 - Filter: text/plain - {A74261A2-EABB-432F-9307-B6A75D56639C} - C:\WINDOWS\System32\mfplay.dll

Now as you see the Hijack is removed by the red object saying file missing. This shows that the hijack is gone and removal can be done manually. Meaning just check the items above.


Variant Two (comes more advanced)

Notes: Apparently even though it looks very alike variant one... its more advanced and quite difficult to remove manually.

Installer Name: javaqr.dll
Hijack This entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\szihy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://szihy.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://szihy.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\szihy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\szihy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://szihy.dll/index.html#37049
O2 - BHO: (no name) - {BA97183C-849F-18AC-10FF-F7B7B52D6B07} - C:\Windows\javaqr.dll
O4 - HKLM\..\RunOnce: [sdkqu.exe] C:\WINDOWS\sdkqu.exe

(weak infection) Usually very much stronger and filled with executables.

About:Buster log:

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\ewquyc.dat
Removed! : C:\WINDOWS\javaqr.dll
Removed! : C:\WINDOWS\qwxld.dat
Removed! : C:\WINDOWS\sdkqu.exe
Removed! : C:\WINDOWS\System32\szihy.dat
Removed! : C:\WINDOWS\System32\szihy.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Hijack This log:

O2 - BHO: (no name) - {BA97183C-849F-18AC-10FF-F7B7B52D6B07} - C:\Windows\javaqr.dll (file missing)

Only item found... It means the hijack is gone and removal is easy by ticking this item.



Note the next post following this one will include the hardest and most common variant of About:Buster to this date.

Note About:Buster 1.3 now removes both of these variants.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#156 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 14 July 2004 - 07:23 PM

Ok now the most advanced variant.

Variant Three

Installer Name: cjfhb.dll
Hijack This log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3C16B3A1-C793-4A5E-B3D5-F536D843057F} - C:\Windows\cjfhb.dll
O18 - Filter: text/html - {29CFD307-1A12-477E-B46A-362EACDC9EF7} - C:\Windows\cjfhb.dll
O18 - Filter: text/plain - {29CFD307-1A12-477E-B46A-362EACDC9EF7} - C:\Windows\cjfhb.dll

(this is a fake installation.. it would look a little different.)

About:Buster log:

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\cjfhb.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

(Similar to the first variant... different MD5 and filesize)

Hijack This log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Marcin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3C16B3A1-C793-4A5E-B3D5-F536D843057F} - C:\Windows\cjfhb.dll (file missing)
O18 - Filter: text/html - {29CFD307-1A12-477E-B46A-362EACDC9EF7} - C:\Windows\cjfhb.dll
O18 - Filter: text/plain - {29CFD307-1A12-477E-B46A-362EACDC9EF7} - C:\Windows\cjfhb.dll

As you see the file was successfully removed and the rest can be removed manually.

I hope this tutorial/information helped someone... Good luck removing About:Blank..


Coming very soon removing Secure.html via About:Buster.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#157 Angelus

Angelus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 14 July 2004 - 10:39 PM

Hi,

I tried to run the last AboutBuster 1.30 and after hiting Start it gave me "Run-time error '339': Component 'MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid"

What must I do?

#158 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 14 July 2004 - 10:59 PM

For missing MSCOMCTL.OCX, download and run this program from Javacool Software. http://www.spywarein...ngfilesetup.exe

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#159 plaing

plaing

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 15 July 2004 - 12:23 AM

Hello:
I also got the message regarding MsComCtl.ocx. I downloaded the missing file and restarted my computer in safe mode. I ran Ad-aware and then About Buster ver. 1.3.

I got the message: "run-time error'53' File not found.

Have I done something wrong or do I have a different version of this About:Blank problem?

thanks all,

plaing

#160 ls62

ls62

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 15 July 2004 - 11:11 AM

Ducky,

I thing I have the sp.html 'variant #3' you posted about, I'll try it later tonight. This hijack has been driving me nuts. Anyways... I have a winxp home pc :techsupport: and we have 4 users setup.... do I have to run your about:buster for all users?

Should it be run in safe mode?

REALLY appreciate your work! I have my fingers crossed.

Thank.
LEE

#161 gaknutson

gaknutson

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 July 2004 - 12:00 PM

Hey Folks -

I have been wrestling with about:blank for some time now. No matter what I do, it keeps coming back. While using HijackThis reference was made to toolbar. I checked and found in the Program Files both Toolbar and Search Toolbar folders. Inside were suspicious files, due to the date they were created. One of the files inside was called "Cursors", and I cannot get in there. I downloaded NoAdWare and ran it, sure enough, it pointed to a file in these folders called "Huntbar". If I provide NoAdWare $30, I can register the program and delete the file.

Is there a way to delete these files (Toolbar and Search Toolbar)?

I think these files are generating the file Startpage6AQ which shows up as a virus in the System Volume Information. This program then generates the .dll's that take over the browser.

Anway, I may be wrong, but if someone can tell me how I can delete these files, I'd appreciate it!

gaknutson

#162 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 15 July 2004 - 12:50 PM

gaknutson
Hey there.. No .. dont pay for NoAdware. Post a Hijack This log (in a new post).. this can be removed manually.. defintely.


ls62
Yes run it for each user and in safe mode
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#163 Rayyy

Rayyy

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 03:02 PM

Rubber Ducky!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Your a f%$%ing Genius.

Thank You Bro!!!!

:wave:

#164 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 15 July 2004 - 03:16 PM

Ill take that as a compliment .. thank you ;)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#165 johnnycrash

johnnycrash

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 July 2004 - 03:42 PM

The links are broken for findnfix. Does anyone know where to get it? I have the hlp.dll traojan problem and nod3d can't get rid of it.

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\hlp.dll

#166 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 05:09 PM

Hi Rubberducky/all,

First of all, huge thanks for all the help/advice posted here - I am now an expert at getting rid of this about:blank beast....

I say 'expert', because it somehow keeps coming back...so I get plenty of practice !

Most of the posts/replies here deal with fixing the problem but does anyone know what the root cause is ?

I run ad-aware, about:buster, cws shredder, Norton scans/live update almost on a paranoidly regular basis now. I've set up my Norton Firewall to block everything that breathes (!) to the point where I'm seemingly continually blocking Internet attempts from all sorts of 'unknown' sources.

Even with all these defences in place, every now and then about:blank will 'sneak in' somewhere if I let my guard down for a brief second (e.g. I might 'give in' and reply 'permit' to a Norton message box).

I think I might have narrowed it down to something to do with SVCHOST.EXE which persistently gives rise to Norton warnings (sometimes 10 rapid fire warnings in a row...). If I keep blocking these svchost.exe attempts I (touch wood) seem to keep the about:blank thing at bay. From what I understand, SVCHOST.EXE is a bog standard Microsoft piece of Software but no idea what it is up to in the context of what Norton is telling me...

Another 'pattern' I can see when I get reinfected is that I've allowed through something called c:\windows\system32\logd.dll - but I can never find this when doing a search in EXPLORER...what's that all about ?!

But, back to my original question, what is it that is creating these rogue .dll files on c:/windows/system32 in the first place ? Is it something that comes in from the Internet or is it something buried somewhere in the depths of a 'normal' .exe somewhere that gets triggered by opening the Internet door ?

The other curious thing that bothers me is, if it is something that sneaks in FROM the internet each time it comes back, why is it targetting my laptop each time but not other PCs - for example my desktop doesn't receive any about:blank attacks (although that could have something to do with it being Windows 98 ??). Even so, I don't know any of my friends who get it either on XP. Why is this thing targetting the same people on a repeat basis but not others at all ?

As you can tell, I'm really appreciative of all the efforts being made to get rid of it once it gets on one's system but to me we should be looking at prevention rather than cure ? I've no idea how to prevent it reappearing on my laptop in the first place without rejecting internet attempts via Norton for things that look perfectly innocent on the surface....

Any info on the root cause of this ? (sorry for the overly long post !)

Cheers,
Martin

Edited by trousers, 15 July 2004 - 05:11 PM.


#167 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 05:24 PM

Its been 2 weeks now of no cool web search, about:blank, the 8 green bugs having sex, all the pop ups are gone, the homepage hijacking, the adware buying and system spyware popups to get you to buy some removal proggie..., i have the solution posted below but some are missing it, it is harder to do but fixes the c: drive. The secret is finding the system32 folder file that is 57,344 bytes, thats not easy since this program hides itself as not shown even if you turned show all folders "on", you need to do that and go into the control panel to local security settings and change what i did below then you cna see the file. Also now that you see it you wont be able to just delete it either, you need to again make sure your the system administrator and have all control over tall files and change the properties on the file like i did below, then it can be deleted. See this file spawns random other dll files that we think are the culprit, they engage when you sign onto the web after you delete the dll file that gets spawned rendomly by the 57,344 dll culprit file, this is wht needs to be removed or all other problems will return. So a simple scan of you computer for files that are 57,344 will not show this file, you need to do the steps below that i did and then it will show up, i have windows 2000 so its not the operating system, its this dll vivus thats at fault. So you can find the root cause dll and erase it(not its spawned random dll file) or you can just reinstall your winnt/ windows folder into a windows/windows named folder like i did, the problem is that the culprit file also if on your system turns off you ability to change your local security settings under security options,recovery console-allow floppy copy and access to all files and folders must be set to ENABLE not DISABLE, if you cant change this youll never be able to see or delete the 57,344 dll cause file. This program actually does disable your ability to change this setting if your infected, so i had to do what i did below, after that i could and did have the option to finally change any and all settings to enable.



ITS DONE !!! well i went with my gut on this one, i figured out how to get access and control over my files then i changed this bad files attributes and then it allowed me to delete it and the folder and then i deleted it from the recycling bin... I first went into start-settings-control panel-administrative tools-local security policy-local policies-security options-and changed both recovery console options to enable from disable(this allows access and floppy copy to all drives and all folders, then i went into the bad file i had named about_blank and went into properties-security-advanced-owner which was my name and then i changed myself to owner of the file, which i am the current administrator anyhow. Then clicked apply, then ok, then went into permissions under my name which now say "allow" and "full control" then went into changing all permissions to allow a checkmark in "full control,modify,read &execute,list folder contents,read, write and allow inheritable permissions from parent to propagate to this object all checkmarked to allow me permission. Then of course rebooted after applying the new settings, then came back into the folder and deleted the file 1st, then the folder 2nd then looked in the recycle bin to see if it went there and it did,then emptied it all out, then rebooted, then looked and it was all gone for good. then ran a search to make sure it was gone and it was, i do believe i am one of only a few now who totally got rid of this about:blank cool web search virus but i had to reinstall windows into another folder other then "winnt" and do alot of copy and pasting and then updating of all my programs but it took less than 3 hours or so and i got all the old windows 2000 files and viruses deleted, i think im free, thanks for the help but in the end i did it myself

Hi JoeB - this sounds like the answer to my last post (i.e. the search for the root cause) - any chance you could summarise what you did in a step by step fashion as it is diffiicult to follow what you did precisely as you've described it in one long paragraph. Sorry for asking for this but my brain has just about packed up !
cheers,
martin

#168 gaknutson

gaknutson

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 July 2004 - 06:22 PM

Rubber Ducky -

Its back. I have posted my log as a new topic - garyk log

Thanks

#169 JackTheLad

JackTheLad

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 08:39 PM

Tried all that has been put on here to remove about blank with no luck.
Log file printed here. Pleeeeeeeeeeease Help

http://forums.spywar...ST&f=18&t=15684

#170 figa

figa

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 09:22 PM

I used About:Blaster yesterday to remove About:Blank. It worked, but now I have no sound, my WinAmp is going crazy and flipping from song to song 5 times per second, there is no sound out of Media Player, and when I try to open task bar volume, it says "no active mixer devides...". In fact, in Sound properties in Control Panel, most options and pull down lists are greyed out. HELP !?

#171 Angelus

Angelus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 16 July 2004 - 02:06 PM

For missing MSCOMCTL.OCX, download and run this program from Javacool Software. http://www.spywarein...ngfilesetup.exe

The page seems to be down.

Can anyone help me with my problem? Please?

#172 Pierre (aka Terdef)

Pierre (aka Terdef)

    Member

  • Ambassador
  • Pip
  • 18 posts

Posted 16 July 2004 - 07:49 PM

Hi Angelus

The page seems to be down.


Works fine for me just now.
Pierre (aka Terdef)
Assiste.com - ASAP
administrator
Computers security, Internet privacy and dirty tricks

#173 Unklebob

Unklebob

    Member

  • New Member
  • Pip
  • 4 posts

Posted 16 July 2004 - 10:19 PM

Hi Rubber DuckY - Your doing a terrific job here!!! Great guidance and advice.

I need your help on 2 areas:

I ran the about buster you offer and in the end of the run my Browser Hijack blaster told me that my home page and search page were changed to Google!!???
Any ideas on that??

Also, I read your instructions on how to deal with the notepad.exe.bak in the System 32 and System folders. Every time I would delete or move Notepad.exe, the file would be recreated with the same date stamp. How do I safely remove the file??

Thanks,

Unklebob

#174 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 16 July 2004 - 11:33 PM

Angelus
The link is back up now :)

Unklebob
a) About:Buster changes your homepage to Google.com so that you can notice the change About:Buster made. If it reset it it would make it About:Blank and that would make it confusing because About:Buster should be removing About:Blank (the cws) and About:Blank (the homepage) is safe to have... if you set it.

b) Boot into safe mode

Booting into safe mode.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#175 Unklebob

Unklebob

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 July 2004 - 12:00 AM

Rubber DuckY:

Thanks for the tips!!

About booting in safe mode to delete the notepad.exe: Is the recreation of the notepad file a Windows function or another piece of spyware logic, just like the appinit_dlls registry entry that recreated the random dll file in Windows, system32?? If its the latter, I'd rather make the effort of deleting the registry entry.

BTW- This is on a Win 2000 Server SP4 system, using Cable modem with a Snap Gear Hardware firewall.

Thanks again,

Unklebob

#176 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 July 2004 - 05:22 AM

Hi RubberDucky,

Are you able to offer any thoughts on JoeB's post re: the root cause of this ?

I'd much rather get rid of the root cause than having to keep running the cure tools (superb though they are)

cheers,
martin

#177 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 10:56 AM

By root cause of this.. do you mean where it was installed and how to prevent getting it... or stop it from replicating?
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#178 Angelus

Angelus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 17 July 2004 - 11:07 AM

Angelus
The link is back up now :)

Thanks. I'm now able to run the AboutBuster but it's still not resolving the 'about:blank problem, it keeps coming back. What's the next step?

#179 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 11:37 AM

Posting a new topic along with a logfile on www.malwarebytes.biz/forums or start a new topic in the main forum.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#180 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 17 July 2004 - 02:33 PM

Please note, the 3d variant is only sometimes removed. If it didnt work for you please start a new topic and someone will help you.

I am currently working on the fix for it... for all the computer experts here is the gist. The cws injects itself into every .exe making it impossible to remove. I believe it even does it in safe mode. The solution is to renaming the AppInit_Dll's key, rebooting, deleting the .dll, and restoring the key. Now the problem is id test this out... but i dont want to hose down an OS.

I will try to get this fix done in a few days. I would use a virtual Pc but it does not infect itself properly on that.


DuckY
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#181 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 July 2004 - 11:06 PM

JayHubbell, I moved your log to a thread of your own.
http://forums.spywar...showtopic=16139

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#182 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 12:30 AM

Hey ducky, great program!! Thumbs up. This isn't really anything bad, but say someone runs a scan and it doesnt remove any files because it didn't delete any, then it shouldn't reset the homepage to google, because there was nothing wrong. Just a suggestion. I'm sure it's not a complicated code fix. Thanks again for a useful program!!

Edited by pomp86, 18 July 2004 - 12:30 AM.





PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#183 rickstevo

rickstevo

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 18 July 2004 - 07:56 AM

I ran about:buster but i get RUNTIME ERROR 53 FILE NOT FOUND.What now.

#184 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 18 July 2004 - 09:43 PM

Version 1.3 is out!...

MD5's total 51

Download
Updated! (v1.31) Subratam.org
Updated! (v1.31) Atribune.org
Updated! (v1.31) Zerosrealm.com
Updated! (v1.31) Malwarebytes.biz
Updated! (v1.31) Majorgeeks.com

Edited by RubbeR DuckY, 19 July 2004 - 06:33 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#185 expertec

expertec

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 690 posts

Posted 19 July 2004 - 03:59 AM

What's in the upate?

#186 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 19 July 2004 - 05:57 AM

About 8 extra MD5's and filesizes :p
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#187 DINIMEDIA

DINIMEDIA

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 10:13 AM

Is there a page or could someone give me instructions how to remove the sp.html ---about:blank using aboutbuster.....thanks

#188 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 July 2004 - 10:26 AM

http://www.atribune....w=findpost&p=82

Available as a click from http://www.ducky.atribune.org/

See also http://forums.spywar...indpost&p=47568

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#189 DINIMEDIA

DINIMEDIA

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 10:35 AM

Thanks CW... does this program remove the hidden files on the hard drive too?

#190 MattCharles

MattCharles

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 12:36 PM

RubbeR DuckY WHAT CAN I SAY? YOU ARE TRULY THE BEST!!!!!!!!!!!!!!!!!!!!!!!!!!!
:wave:

You really saved my computer from that stupid About:Blank crap! :)

The best way to know if this worked, once you restart your IE will go to it's default page which is www.microsoft.com
That is how I know this is out of my computer for good! My computer also runs very fast as well. Also Ad-aware also has an update for this virus as well, so that won't hurt to scan your computer with that as well! Also with Spybot to after you do all the steps RubbeR DuckY has told you to do!

RubbeR DuckY, I would marry you but you are not Lindsay Lohan! J/K :rofl: :D

I hope everyone else gets this crap out of there computer and up and running really soon! Thanx once again! :) :wave:

#191 DJ Barcode

DJ Barcode

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 12:38 PM

I'd like to take a moment to thank SWI, RubberDucky, joeb, and everyone else who has contributed to this thread.

Back on May 18th (yes, two months ago), my computer became infected with some sort of CWS variant. All the tools I had at my disposal (CWShedder, Ad-Aware, NoAdware, Spybot Search and Destroy, and HijackThis) removed the symptom (the BHO) but failed to remove or even detect the cause (the super-hidden dll in the system32 folder).

Sorry, RubberDucky, but your tool didn't solve my problem. I didn't have the res:// variant of the bug. But I do thank you and applaud your continued efforts to rid the world of this garbage. Keep fighting the good fight.

After reading through this thread, I was able to finally remove the file that was causing the repeated reinfection - mostly from the posts of joeb. I have a copy (don't know how it got there ;)) of NTFSPRO - an application that allows you to read and write NTFS partitions from DOS. I have it burned onto a bootable CD. The file that was causing my problems was C:\Windows\System32\ctlndio.dll. Like joeb, I was unable to see the file at all from Windows, Windows in Safe Mode, or a DOS box. Once I booted the machine from the CD, I was able to see the file. Then I could rename it and delete it.

I would suspect that there would be another way to delete the file if you don't have NTFSPRO laying around. I think that if I took the hard drive out of the machine, inserted it into my portable USB hard drive enclosure, then plugged it into my other machine, I should be able to see and delete the file. The same should be true if the drive is simply connected to another machine via the IDE interface (or SCSI, if that's the case). I did not try this but I think it would work. Hopefully this helps someone else that is in the position I was in for two months.

If anyone, and I mean anyone, finds out who wrote this garbage, PLEASE provide me with a name and street address. I'd like to "call in a favor."

#192 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 19 July 2004 - 01:22 PM

I cant exactly tell you the address as if i had it.. id be on vacation. I can however tell you a few things.

PGPhantom - Edited to remove peoples names. Please do not post the names of people assumed to be responsible. We are int he spyware removal game, not in the game of giving out names to start a war... Thank you for your consideration.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#193 star2004

star2004

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 03:10 PM

what a pain about blank is Spybot "found"nothing
Ad-ware found "12 problems says it got rid of them ( not )
Browser hijack blaster " says your bio's home page changed and will change it back to google well until i switch my computer back on.

A friend told me about Trend micro free online virus scan found 1 troj horse computer back to normal no more (about blank) the only problem it knock my printer off. Got printer back on now but no icon on the bottom right screen ?
Also nero express is not working? deleted it reinstored it no luck there?
I'm not that good on these computers please help !

#194 smnitro1

smnitro1

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 09:51 PM

14\2133 Items Scanned ?
About:Buster will now shut explorer.exe box keeps popping up.
Do I need to keep clicking on YES until all Items are scanned?
Or is this thing replicating?

#195 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 19 July 2004 - 10:07 PM

Reboot into safe mode and you will not receive as many errors removing files... Buster tries to shut down explorer.exe to remove .dlls :) that way more files could be removed.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#196 Guest_skycom_*

Guest_skycom_*
  • Guests

Posted 19 July 2004 - 11:48 PM

RubbeR DuckY :wave:

Thanks Buddy :!:

#197 exte

exte

    Member

  • New Member
  • Pip
  • 2 posts

Posted 20 July 2004 - 03:01 AM

I scanned with hijack and now tried to do the same with AboutBuster, but when I try to start this, it says: Run-time error '339'
Component 'MsComCtl.Ocx' or one of it's dependencies not correctly registered: a file is missing or invalid

#198 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 20 July 2004 - 05:44 AM

For missing MSCOMCTL.OCX, download and run this program from Javacool Software. http://www.spywarein...ngfilesetup.exe

:)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#199 star2004

star2004

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 July 2004 - 11:49 AM

Hi Rubber Ducky !

Before i came to this board and saw your threads removeing about blank. As you no i got rid of it, now it seems that all my vid clips have changed or converted them selfs to media player format its not a problem.

But how or way as it do this? Also sometimes a little icon top left of my screen comes on when trying to play some clips in media player asking me if i want to download microsoft Active x gallery ????

It all started since " about blank "

help please ! :scratchhead: :grrr: :weep:

i'm useing "windows me"

#200 johnnycrash

johnnycrash

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 July 2004 - 04:36 PM

I think my media player was messed with by the CWS trojan too. It got renamed to .bak sane time my notepad.exe got renamed. I uninstalled it and reinstalled it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button