General discussion

  • Creator
    Topic
  • #2293390

    about:blank

    Locked

    by t_pandza ·

    anybody who can help- how to get rid of about:blank from my web browser. Please don’t tell me go and download this or this tool, I already did all of them and nothing helped. I please somebody who realy knows that grady stuff under the skin. Thanks a milion everyone who is willing to help.

All Comments

  • Author
    Replies
    • #2731557

      about:blank

      by lleddac ·

      In reply to about:blank

      Check Internet options to see if that entry is in “Home page Location” Next regedit and search on that key value “about:blank” to see if it is getting the home page location there.

      • #2731466

        Thanks it worked on CNBabe – Adware

        by jimhm ·

        In reply to about:blank

        Thanks I tried your search idea on an Adware that I couldn’t kill – and found it in the Regedit search – thanks for the idea..

      • #2714377

        Remove about:blank

        by sam ·

        In reply to about:blank

        there is a file in the windows\system directory named DKFPCOTF.exe, delete it in dos mode, then run msconfig and uncheck the box related to this file, run regedit and search for the file name and delete anything connected to it…………all will be ok after

    • #3366722

      about:blank

      by jaxmann ·

      In reply to about:blank

      I have the same problem. Ran the regedit, found two place in the registry, deleted, but, something keeps adding it back….what do I do? tks jax

      • #3368543

        Do this

        by mrafrohead ·

        In reply to about:blank

        First, download CWShredder.

        Then Ad-Aware

        Then Spybot

        Then Stinger from NAI…

        Run them in order as follows:

        CWShredder, stinger, ad-aware then spybot.

        Run each one until it says that you are clean, then continue to the next one.

        After you have cleaned all of the crap off of your box, UPDATE IT and stop downloading pr0n dialers.

        If anything is found by Stinger, write down what it is and after you have fixed it, go to the Norton site and download their tool to fix the virus, that way it will put any changes to the registry back the way they are supposed to be, instead of just deleting infected files like Stinger does.

        Any questions or comments???

        BTW – I know, you’ve already downloaded it all, but I’d do it again.

        Mrafrohead

        • #3366092

          Thanks, it worked

          by a.barron ·

          In reply to Do this

          I had the same problem. I did exactly what you said and it fixed the problem. I think it was the Ad-Aware program that did the trick. Thanks!

        • #2726685

          Hit a snag

          by maggielou ·

          In reply to Do this

          When I try to run CWShredder, I get an error message that says, “Unable to start Winsock”. What can I do to remedy this?
          Thanks.

        • #2727108

          How to Fix Winsock Error

          by gerry.lawrence ·

          In reply to Hit a snag

          Microsoft has a great link to help you.
          Click here -http://support.microsoft.com/default.aspx?scid=kb;en-us;817571

        • #2727008

          Another WinSock repair option

          by techinca ·

          In reply to How to Fix Winsock Error

          I had a similar issue and came across a great site that has a Winsock.exe utility that automatically runs the steps outlined by Microsoft in that KB article you reference. Check this out, worked everytime! They also have a WinXP version…

          http://www.tacktech.com/display.cfm?ttid=257

        • #2726344

          Worked for me too!

          by giora ·

          In reply to Do this

          I’ve been trying to get rid of about:blank for some time now. You just prevented me from re-installing windows. Thanks

        • #2727216

          Need more help

          by dparham ·

          In reply to Do this

          I ran CWShredder, Stinger, Ad-Aware and then SpyBot…the problem I have is that SpyBot never gets “clean”..I run it over and over and after the 1st time (when it found a few more) it keeps finding 5 “DSO Exploits”. I “fix the problem” but when I run it again they are there again. I have tried re-booting between each step. Any other suggestions?

          Thanking you in advance for any and all help.

          dparham

        • #2727148

          A radical approach

          by arthurp ·

          In reply to Need more help

          Hiya,
          Over the past couple of days I’ve been investigating the purpose and functionality of the “c:\windows\prefetch” and stumbled across John Sheesley’s article “Use XP’s Prefetch feature to improve system performance” – 17th March 2004 – which provided an insite into the functionality of “prefetch”.

          I believe that the solution to your problem may well be to
          * clear the known files
          * remove the entries from the Registry
          * Remove the known files from
          c:\windows\system32\dllcache
          * then either delete all files / or just known
          files from within c:\windows\prefetch

          If you are unsure then please read John’s article before proceeding …

          John Thanking you … the article provided a tangible train of though powered by caffine through the early hours of the morning, which led to the removal of the SpyBot from a machine that I had deliberately infected.

          Arthur

        • #2727114

          DSO Exploits

          by rdosuna ·

          In reply to Need more help

          I have run across the same problem with DSO Exploits from Spybot. This is what fixed that for me and I did it on several machines. Once Spybot is done and it shows the “DSO Exploits”, expand them by clicking on the the “+” to the left on the list. This will show you the registry entries from the 5 exploits. Then go to regedit and delete those entries. They will never come back and Spybot will run clean. I have used this on 12 machines and it has worked everytime.

        • #2727111

          Thank you and….

          by dparham ·

          In reply to DSO Exploits

          Please forgive my ignorance but when I tried to “go to regedit and delte those entries” I get an error saying “Cannot delete…error deleting key”…can you offer any further suggestions? Do I try to delete the whole file (S-1-5-18 for instance)? That is what I was trying to do when I get the error.

          I notice that after I have run SpyBot my browser works OK..until I close SpyBot and then I am back to about:blank again

        • #2727109

          Don’t delete, re-create

          by pillbug22 ·

          In reply to Thank you and….

          This is a known bug in SpyBot. Why SpyBot tries to fix the problem, it doesn’t fully fix it. SpyBot trys to delete the invalid keys (low security settings), then re-create them with tighter settings.

          But, SpyBot re-creates the keys as a REG_SZ, when they should be REG_DWORD. You need to re-create these keys as REG_DWORD and set the value to 3. This prevents a common DSO exploit from being able to run.

          For full details, read:

          http://forums.net-integration.net/index.php?showtopic=15308&st=0

        • #2727106

          More help…

          by dparham ·

          In reply to Don’t delete, re-create

          Again please forgive my ignorance, I have no technical expertise. Can you tell me how to “re-create” those keys? I tried to rename them and entered the value of 3 but I must have done it wrong because I am still getting the about:blank page. I read the article you referred to but the last post basically asks what I am asking now.

          Thank you very much for your help.

        • #2725014

          I have found help

          by alegna159 ·

          In reply to Thank you and….

          Hi, You need to go to either one of these websites for help: http://forums.tomcoyote.com/ , scroll to Hijackthis Logs And Problems (OPEN) or this website http://forums.us.dell.com/supportforums/board?board.id=si_virus.

          There are really great people at these sites that will instruct you on how to get rid of your spyware, adware, malware and fix a hijacked browser. They will want to have you post a HijackThis log. But for starters just go to one of those sites and ask for help. They will walk you through everything that you need to download, how to post a HijackThis log and then what to do next. I have gone to both sites for quite awhile now and have nothing but good luck.
          They are really busy right now as there seems to be an explotion of about:blank hijacks.
          Good Luck!

        • #2711552

          DSO Exploits

          by kls91061 ·

          In reply to DSO Exploits

          i have 5 dso exploits on my computer that spybot has found. i have no clue on how to get rid of them. could you help? thank you
          korina sanders at kls91061@cebridge.net

        • #2711550

          dso exploits

          by kls91061 ·

          In reply to DSO Exploits

          could you tell me the way to delete them? i get to the windows part and there are so many to choose from i don’t know which one to delete.

        • #2716274

          removing dso exploits

          by Anonymous ·

          In reply to DSO Exploits

          SPYBOT DETECTED 5 DSO EXPLOITS I DELETED THEM WITH XP’S REGISTRY EDITOR. THE PROBLEM IS WHEN I RAN BACKUP , ALL THE DELETED REGISTERIES CAME BACK AS CORRUPTED FILES AND BACKUP STOPPED

          COULD NOT ACCESS PORTIONS OF DIRECTORY
          DIRECTORY MAY BE MISSING OR DAMAGED

          I USED SYSTEM RESTORE TO A GOOD RESTORE PT. AND BACKUP WORKED.

          SOMETHINGS WRONG WITH JUST DELETING REGISTERY FILES

        • #2706375

          !about:~nothing

          by paul.osterhus ·

          In reply to DSO Exploits

          s/`/==/

        • #2725192

          DSO Exploits

          by mrafrohead ·

          In reply to Need more help

          To fix those, stop using IE. They are being reported to you because IE is just plain broke.

          MicroCRAP can’t get their shit together to fix it properly. They released a patch this week to fix the ADOB.STREAM but there is a differnet variant to that that was discovered almost immediately.

          SO – don’t just disregard the exploit listed, there are instructions within the program that you are using on how to fix it. I recommend updating your windoze, scanning again and then following any additional instructions from there…

          USE MOZILLA or FireFox! That will help more than anything.

          Lemme know if you need any further advice…

        • #2727056

          Reply To: about:blank

          by wcga12 ·

          In reply to Do this

          Excuse me, what exactly is a pr0n dialer? I wasn’t sure if that was a typo for the word porn or not. Thanks

        • #2725191

          pr0n dialers

          by mrafrohead ·

          In reply to Reply To: about:blank

          Yeah, it’s another way of saying porn dialer…

          It was intentional ;p

          I just think that porn is such a dirty word and pr0n get’s me all excited ;-)…

          Newho – happy weekend.

        • #2713840

          Seriously – Adaware works…

          by learnbydoing ·

          In reply to Do this

          I had the same problem in one of our salespeople’s HP laptops. I don’t know what they downloaded or got into, but I kept trying to fight with it in the registry. Finally, I downloaded Lavasoft’s Adaware 6 and it fixed it with very little effort.

    • #3368715

      about:blank

      by jencarnacion ·

      In reply to about:blank

      got the same problem and tried regedt32 using winXP. No luck! This about:blank is nasty. Very simple solution, restore system to few day old setting and everything works like a charm!

      • #3368684

        about:blank

        by prabhakar.kudva ·

        In reply to about:blank

        I am having an a”about:blank” problem on my Windows 98 machine since yesterday(6/14/04). I am new at this, so please how precisely do I “restore system to few day old setting”? I would appreciate your advice. Thanks!

        • #3368596

          CW Shredder tool

          by pcnetworktech ·

          In reply to about:blank

          You will need CWShredder tool to get rid of the problem. Do a search at google.com or visit
          http://www.spywareinfo.com/~merijn/downloads.html

        • #3367294

          CW Shredder Tool

          by tecbal ·

          In reply to CW Shredder tool

          I spent two days working on my about:blank problem. Most of the time was spent correcting changes this bug made to several Norton files which wouldn’t let me scan for any virus. I finally heard about your recommendation to use CW Shredder and it corrected the problem and Norton, after scanning got rid of the junk that the bug created. I assume it was spyware. Thanks again … saved a lot of time and trouble.

        • #2727059

          You Don’t

          by ddissent ·

          In reply to about:blank

          Windows 98 does not have a system restore feature. It first appeared in Windows ME (which, might I add, I would rather be tortured by Saddam Hussein than use that OS)
          I’m not a big fan of the whole system restore idea anyway. I’d rather wipe the system clean and start fresh than restore.
          Good luck

        • #2725188

          System restore on ME or XP only

          by mrafrohead ·

          In reply to about:blank

          If you are using 98 you don’t have that feature. IMO I wouldn’t run out and upgrade to XP to get it either. ;p

          Use 2k…

          Newho – I posted at the top and at the bottom on what to do. I would use those and it will fix your problem. Good luck.

    • #3366757

      ABOUT:BLANK

      by kuelze ·

      In reply to about:blank

      I might have found the ABOUT:BLANK culprit. I had this malware for weeks and have tried all the
      fixes listed on the various forums. HijackThis, Adware, CWshedder and BHODeamon all were only temporary fixes. The malware always returned after a random time delay. The problem being that none of these utilities are capable of finding the hidden DLL that really causes the problem. For example a HijackThis excerpt shows the following–

      R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
      R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
      R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
      R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
      R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
      R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
      R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
      R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
      O2 – BHO: (no name) – {2494468C-C5D6-11D8-97A7-001058ABCC46} – C:\WINDOWS\SYSTEM\FHFH.DLL

      The FHFH.DLL name will change each time the malware has to re-vitalize itself. The real identifier of this malware register entry is the BHO (no name)

      If one were to check these entries in HijackThis and ask Hijack this to fix these items and you run Adware and Cwshedder the problem might appear fixed but it is only temporary. Somewhere a DLL lurks that creates the FHFH.DLL (or whatever it is called). With some testing the detail of which I’ll not go into here it can be shown that FHFH.DLL puts all the above R1 and R0 entries into the register and creates the sp.html file. The sp.html file is what appears on your ABOUT:BLANK iexplorer screen. ABOUT:BLANK is not a URL directing the iexplorer to the site shown.

      The way I found the hidden DLL is as follows-
      Go to this site —
      http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

      1. Download WIN98FIX.ZIP. It does not matter what operating system you have the utility that you need to use is a DOS utility.

      2. After you unzip this file copy XFIND.COM and WHO.Bat to a new directory that you make. I made a directory called C:\FILE_FIND

      3. Now open a DOS window. To open a DOS window select START/RUN and type COMMAND and then enter.

      4 Do a CD.. any number of times to get back to C:\. For those not familiar with DOS commands CD is Change Directory and the .. take you back one level. At the C:\ do a CD WINDOWS and then a CD SYSTEM. now the prompt looks like C:\WINDOWS\SYSTEM. For those of you with other windows operating systems this might look like C:\WINNT\SYSTEM.

      5. Now do the following command C:\FILE_FIND\XFIND.COM “ZZZZZZZ”. There will be a pause while XFIND attempts to find all files with a ZZZZZZZ string. When the results are returned at least one of the results will look like MSKLK.DLL +++ File Read Error. I have chosen MSKLK.DLL because it is the bad DLL on my system but it could have another name on your system.

      6. No go to your WINDOWS EXPLORER or whatever you use to do file searches with and attempt to search for the bad DLL which was MSKLK.DLL on my computer. The search routines will not find this file. Somehow the malware is able to install a file on your computer that no normal windows search routine will find and don’t tell me that I don’t check for all types of files set in the properties of my EXPLORE because I do.

      7.Next go back to your DOS window which you should still have open and attempt to rename this file. For example the command is RENAME MSKLK.DLL ASKLK.DLL. Remember the prompt must be at C:\WINDOWS\SYSTEM when you try this command. You should get a message that says the file is in use by WINDOWS and can’t be changed.

      8. You can investigate further by using Process Explorer from http://www.systinternals.com to check the DLL’s associated with every EXECUTABLE running in your computer and you will NOT find MSKLK.DLL associated with any of them yet it is running because you can’t change its name.
      9. To get rid of this malware you have to boot up in the DOS mode and change its name. To do this boot your computer and hit the F8 key repeatedly during the BOOT process. A selection menu will appear. Select DOS mode which is selection number 5 for Windows 98 users. Repeat step 4 and step 7 and this time the name will change.

      10. Now use HijackThis, Adware, Cwshedder to clear up the rest of the malware. Note that these utilities fix the register but they do not delete the files. Go to C:\WINDOWS\TEMP and delete the sp/html file show above, e.g.
      R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
      and the FHFH.DLL file whatever its name is in the above
      O2 – BHO: (no name) – {2494468C-C5D6-11D8-97A7-001058ABCC46} – C:\WINDOWS\SYSTEM\FHFH.DLL

      11. Now you should no longer be bothered by ABOUT:BLANK being made your default screen, but we have not totally eliminated MSKLK.DLL from the computer because it exists in some devious way in the system registry. By this I mean none of the Registry search routines are able to find this entry and I assure you I tried a lot of combinations of searches. Maybe someone can figure out a way to find it. If so please let me know

      In closing all of the above directly relates to WINDOWS 98. If you are using another version of WINDOWS you will have to adjust somewhat. All of my computers are WINDOWS 98, therefore I cannot tell you the specfic steps for the other windows operating systems. This whole thing amazed me that malware could install a hidden DLL on my computer that could not be found by any search routine even through this DLL had only a simple archive attribute. Somehow WINDOWS will not report this file because it is not a valid WINDIWS DLL but yet it can be made to run by the proper registry entries.

      • #2723511

        about:blank

        by tuomo.korkala ·

        In reply to ABOUT:BLANK

        I’m using XP Pro and was able to find the hidden dll using the described method. My dll was named D3DBNMJ.DLL, but it was different from Win98 as it was found in windows/system32-folder rather than windows/system-folder. Also, when trying to rename it I got the “The system can not find the file specified”-message. Hopefully someone figures out how to get rid of this in XP!!

        • #2723503

          About:blank

          by noneedtoknow ·

          In reply to about:blank

          I battled this about:blank for 2 weeks before defeating it so I will be happy to share. First was the Spybot S&D, then Ad-Aware – both of these detected CoolWebSearch and “removed” them. Well, next time I launched IE, it was back. I reran them, deleted Temp Internet files, temp files and cookies and emptied the recycle bin, checked the registry and then rebooted. IE was fine and then I was back to about:blank. CWShredder did not work either. I looked at the source of about:blank and there was a redirector that was obscured so I copied the URL and put it into http://www.netdemon.net/decode.cgi and found it pointed to a file on my C: drive that was obviously randomly named. Deleted that badboy and unregistered it. Still came back. Then I changed from NAV to MCafee AV, which picked up 2 trojans in my temp internet files. Whacked those and then set AdAware to kill processes of Dll’s that were running – you can do this through the options tab. That seemed to do it. No problems for 2 days.
          So, to sum up… clear your temp internet files, cookies as well as any other users files that may log on to your machine – it can run out theres. Run adaware in bad ass mode so it kills and deletes process that are running and delete or quarantine them. Then, empty your recycle bin as well. I wish I had more detail as to what I did, but after a week, it got somewhat convaluted.

        • #2704370

          Quick and dirty removal procedure

          by mattk ·

          In reply to About:blank

          A good removal procedure for getting rid ot this bugger is found at http://forums.thetechguys.com/archive/index.php/t-5122.html. I have used it several times and it works.

          Some notes that will help save you aggrevation that are not in the procedure:

          Do everything in safe mode.
          Delete every user’s temporary internet files from c:\documents and settings\*user name*\local settings$\temporary internet files
          Run a search on Notepad.* and see if there is a notepad.exe.bak file. If there is, rename notepad.exe and rename notepad.exe.bak notepad.exe (I have not found this on all the machines, but if this condition exists, the about:blank redirector will reappear).

          Good luck!

        • #2727090

          Hidden DLL

          by fernando.villalobos ·

          In reply to about:blank

          How did you determined that a string “ZZZZZZZ” has to be searched in order to find the bad .DLL?

        • #2724974

          Found the solution

          by tuomo.korkala ·

          In reply to about:blank

          OK…So I Have been fighting this thing for some time and now I have been about:blank-free for 5 days So I guess its safe to offer a solution here. I can not take the credit so I’ll post the fix I found on another site. Here goes…

          I just wanted to thank ComputerCops and Akadia in Thun,Switzerland for getting me on the right track!

          Here is what I found to cure my situation of having home page hijacked to a pseudo “about:blank” page. By the way, the real web page is revealed below.

          To Remove “About:Blank” Hijacker Adware In Windows XP Home edition Service Pack 1 with Internet Explorer 6.0 (probably works in NT and 2000 with some directory name changes only)

          My Norton Antivirus did not detect this trouble and I’ve read Several confusing approaches that did not work for me.

          Programs Needed:

          Reglite.exe (available at ” <http://www.resplendence.com/download/reglite.exe> “)

          Microsoft Recovery Console
          (an option available on your Windows CD or root drive) run “X:i386winnt32.exe /cmdcons” where “X” is either CD drive letter or is “C” for your root.

          HiJackThis.exe
          (available at ” <http://download.com.com/3000-2144-10227352.html> “)

          There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with “HiJackThis.exe”

          1) With “Reglite.exe” find name of hidden file:

          Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” The “value” window reveals the hidden file name. (mine was “hlpl.dll”, yours may be different!) In this example let’s call it “hidden.dll”

          2) Rename the hidden file:

          Close Windows and reboot using “Windows Recovery Console” Go to “c:Windowssystem32” and do two things. Change file from read only by typing “attrib -r hidden.dll” Then rename it (I don’t know why, but this procedure did not work until I renamed it) type “rename hidden.dll nasty.dll” (and remember that “hidden.dll” is for this explanation only use the name you found earlier) Type “exit” and reboot to Windows.

          3) Edit registry to remove hidden file

          Run “reglite.exe” again. Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” Delete the file in “value” window, the “size” window changes also. “Apply” changes and exit “reglite.exe”

          4) Edit registry to remove the second file

          Run “HiJackThis.exe” and scan the registry. Check the boxes to remove the following entries: “R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank” (as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”.

          Finally delete the two .dlls (“hidden.dll” and “obvious.dll”) You should be running again.

          By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit. From this hijacker. I found: http://www.palsol.com http://www.likesurfing.com
          http://www.vn.msie.cc (the real web page)

          They seem to be selling “adware/spyware protection” Pass the word, Boycott them, Who needs to be extorted for “protection money”?

          That was the thing that worked. Really, the problem is the hidden dll. Unless that is removed the bas…d will come always back.

          -Tuomo

      • #2725957

        Finally

        by tmcgrath ·

        In reply to ABOUT:BLANK

        I’ve been fighting about:blank for a long time and many hours. I can’t wait to get home to my PC and BEAT IT !!

        I’ll let you know how it goes.

        Thanks for sharing!

      • #2726850

        about:blank

        by srankin ·

        In reply to ABOUT:BLANK

        Am having this familiar about:blank hijack on win98. I downloaded WIN98FIXzip, but after opening it, I was prompted by media player (is that what it should open with?), that the file is either corrupt, or the Player doesn’t support the format. I have downloaded MPlayer 9,m and have the same prob.
        Any ideas on how I can obtain WIN98FIXzip?
        Thanks

        • #2724602

          Open With

          by millergh ·

          In reply to about:blank

          It is possible that the last time you opened a zip file you associate all .zip files to the Media Player. Try right clicking on the file and do a “open with” and select Winzip. If Winzip is not an option you can try to browse to it. The other way to do it is to open Winzip, select extract and browse to the WIN98FIX.zip file. If you do not have Winzip installed, go and download it and associate all .zip files with it.

        • #2725222

          got it open

          by srankin ·

          In reply to Open With

          Hey, thanks for the suggestion. I actually didn’t have winzip at all, so after downloading it, I got the file open.

      • #2727218

        Can’t find Who.bat

        by deeg ·

        In reply to ABOUT:BLANK

        I downloaded and unzipped Win98fix.zip but WHO.Bat wasn’t there. Where can I find it? Or tell me what in it so I can recreate it.

      • #2727105

        where to get win98fix?

        by dwbrowne ·

        In reply to ABOUT:BLANK

        I followed the link & got message:

        This is a deleted or missing site on 100FREE.COM the best in free web
        hosting!

        is there another source for this, or could you post it somewhere for us?

      • #2725214

        can’t locate problem dll

        by srankin ·

        In reply to ABOUT:BLANK

        I followed your outline, but when i ran xfind, it didn’t turn up a dll like the one you described. I searched all of the dll’s it did call up, and was able to locate all of them.
        How can i find this problematic file?

      • #2716919

        Thanx!

        by fort1t ·

        In reply to ABOUT:BLANK

        Had I read your closing statement more closely, I would have realized you were working in 98. I am XP. Your instr were fine; my diff was the dir was system32, file named sqlhbi.dll, step #7 my msg was could not find file, step #9 I had to boot to recovery console.
        Additional steps – renamed it (changed to .dat)and then booted back to normal thinking would be able to toy with the file at my leisure as it had done with me for so long. After the name change and back in normal, a review of the registry (HKLM\Soft\Micro\WindowsNT\CurrentVer\Windows\AppInitDLLd) and there was my culprit. Many postings advise to look here for your hidden dll but the system can not see it so mine always showed empty. As soon as I renamed it, the orig name showed.
        However, the file still had a couple trixs up its sleeve. I was still unable to delete the file. Had to remove the read only attribute before I could delete the thing. We shall see how long this works, but now that I am aware of this OS deficiency, I can address more quickly. I was amazed at the fact that xfind could see the file, locate command could see it, but nothing to get rid of file. I was about to try some batch method when I came across a posting on super hidden adaware dll files on lavasoft. The posting was edited for some reason, but gave me the idea to try recovery console. Again, thanx!

    • #2726177

      For general help

      by Jay Garmon ·

      In reply to about:blank

      The suggested remedies in this thread are pretty solid, as far as I can tell, but I’d be remiss if I didn’t throw a product plug out there.

      We have an antispyware product–Quick Guide: Spyware Detection and Removal–for under ten bucks which tells you how to handle a broad range of these types of threats, and reviews a lot of the leading sweeper programs. You can get to the catalog page here:
      http://store3.esellerate.net/store/catalog.aspx?s=STR1275272029&pc=

      There, I’ve done my commercial deed for the day.

      –Jay

    • #2726121

      15 minutes…done

      by relm ·

      In reply to about:blank

      After trying all that I read here plus some other ideas from security groups, I was amazed to see it found and gone in 15 minutes. My super tech looked at, did a regedit, and deleeted a string of files. Cleaned up some things and rebooted my system. It’s gone! IT pays to have an expert.

      The file were all created 8/23/2001 @ 700am on my computer. I am running XP Pro.

      The other thing is that they all had CINTL_ _ _ or CIJHLP_ _ _ .IMD, or . HLP file names.

      I would say it is time to go to MOZILLA or some other browser. While we wait for Microsoft to clean house.

      BE:)

      Robert Elm
      [HEGL International]
      9812 Pleasant Avenue South, Suite 100
      Bloomington, MN 55420-4702

      952-884-4692 Home Office
      relm@usinternet.com
      ISO 17799 Information Security Management Systems
      (BSI Qualified Implementation Management & Auditor)
      http://WWW.heglintl.com

      • #2727122

        about:blank fix

        by pcarver ·

        In reply to 15 minutes…done

        I battled this for a few rounds on a clients computer running winxp. Using all the normal cleanup tools I could clear things but they would eventually return. The following is a description I found on the net that finally cleared things for me. Hope it helps.

        Pat
        \

        Removing the ?About:Blank? Virus from W2K
        ——————————————————————————–

        Overview

        You my notice that your Home Page Setting in Internet Explorer is kept being reset to about:blank and there was a search page that would startup. Even if you reset it to something else it will be reset back to about:blank after a while. We run Norton Antivirus – without success!

        There are two malicious .dll files on you computer. One is visible and can be easily deleted. The other is HIDDEN. The hidden .dll regenerates the viewable .dll if it is deleted or changed. The hidden file is the problem.

        To rid your self of the hidden .dll, which is the core of the problem, do the following.

        Solution

        Step 1

        The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about:blank, the other is hidden and loaded at all times.

        Use Regedit to go here.

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
        CurrentVersion\Windows\\AppInit_DLLs

        Then double click:

        AppInit_DLLs

        You should be able to see a file with this address:

        C:\Windows\System32\”Hidden”.dll

        For example on my W2K box, the hidden file is called wdm.dll

        Step 2

        Install the Windows Recovery Console Option if not already done:

        The Windows Recovery Console is not the plain DOS prompt you can find in your START menu, here’s how you can access this console:

        (X = your CD Drive)
        1. Pop in the Win2000/WinXP CD.
        2. Run X:\i386\winnt32.exe /cmdcons
        3. A dialog comes up saying it takes 10mb, etc., etc. – Click yes to install.

        If you already see the boot menu you’re done. If you don’t then lets make it appear:

        Right Click My Computer
        Click Properties
        Click advanced tab
        Click startup and Recovery Settings
        Check Time to Display List of Operating Systems
        Set the timeout to something reasonable like 10 seconds
        Apply the settings, reboot, and you should see the new option to go into the recovery console. You’ll need the Administrator password for your computer to access the console.
        Then in to the Windows Recovery Console go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won’t be able to erase it, another way you could, is to change the name of the file.

        C:\Winnt\System32: rename wdm.dll about_blank
        C:\Winnt\System32: attrib -R about_blank

        Step 3

        Reboot your system and open regedit, go back to the same key:

        AppInit_DLLs and delete the value.

        Now you can reset your Home Page Setting for Internet Expolrerer to your desired Page.

      • #2727120

        Has anyone tried HiJack this?

        by malcorn ·

        In reply to 15 minutes…done

        I have had several hijacks on computers for several different companies that I support and have found that this program is extremly good, since it goes directly to the registry and checks on hijacks. But please remember whenever you are editing the registry, damage can be done. This is not for the squeemish or foolish.

      • #2727061

        Use a different Browser

        by blarman ·

        In reply to 15 minutes…done

        “I would say it is time to go to MOZILLA or some other browser. While we wait for Microsoft to clean house.”

        I have been using “alternate” browsers for years. I started with Opera, then went to Mozilla and now Firebird. Each browser has its +’s and -‘s with certain things, but I initially switched browsers to block pop-up ads. It’s been a great secondary benefit that I don’t have to worry about the IE exploits which seem ubiquitous.

      • #2727029

        Buster is here

        by goofytek ·

        In reply to 15 minutes…done

        http://www.majorgeeks.com/download4289.html
        info on using it is here too
        Bye retired Techie Keith

    • #2724700

      about.blank

      by reddjohnny ·

      In reply to about:blank

      Webmaster downloaded software fixes to remove about.blank from Windows Operating System program. About.blank is written in at least two places in the program and is encrypted. The software deencrypted the code and names the file. Upon finding the code, the programs were initially successful in removing about.blank. After a few startups, the hijacker returned. Evidently, the virus remembers its ipo addresses and returns irrespective of removing the code from the program.
      This requires then an interruption in the execution of the program startup. First the operator must make the Internet Options dialogue box part and parcel of his desktop. This must be located either on the screen or just off the screen enough to get out of the way. I just simply move all my icons to the left side and place the Internet Options box on the right.
      Go through your normal steps to select your startup web site and after you click apply, leave the box open and move to a convenient place. DO NOT CLOSE THE BOX.
      Upon the startup, the selected website will be the site the opens, and not the ubiquitous about.blank. After your internet session is over, close the internet, delete cookies and files is needed, but still leave the box open. When you go back to revisit the website, erase the m in com and retype the “m” so the apply box will be reactivated. The operator will again circumvent the about.blank website and foil their efforts once again.
      I am not sure that removing the code is a permanent fix, simply because the hijacker will continue to hijack your computer because it has your address already and just will simply continue to check to see if you are still using the hijacker virus.
      The only way to foil the tricksters is to use the costly time they want you to spend with their website with your own shenanagins. Since so much depends upon your being able to adjust your settings to fit the web sites you are visiting, having the Internet Options box open all the time will save you the time and effort to constantly go back and forth (which at least for a while you will be doing anyway) to make the changes. In addition to removing the daily accumulation of cookies and files, you now have the benefit of being constanly reminded of the importance of periodically adjusting your security to the type of web site you desire.

      I use this as a regular feature on the desktop. When an individual sees the value in the open box, perhaps they will be less likely to worry about the about.blank site. And that is what everything is all about anyway!

      • #2727113

        reddjohnny missing the point

        by mikeydsc ·

        In reply to about.blank

        Sure you could do as you suggest but you are defeating the purpose of security.Doing the above will still leave the malicious code on your system and things will still download in the background and eventually your system will die a slow and painful death.Get rid of this bug that is running in stealth mode before its to late.

    • #2727140

      about:blank

      by timthumb ·

      In reply to about:blank

      Did anybody mention that you should disconnect from the Internet when doing the repairs? Just wondering.

    • #2727119

      The “real” ‘about:blank?’

      by jrpayton ·

      In reply to about:blank

      No one has mentioned that “about:blank” is a legitimate option for default Home Page in IE’s Internet Options. I’ve been using it for years so I don’t have to wait for IE to find some page I don’t want. How can I tell if a hijacker has replace my “about:blank” with his “about:blank?”
      Does this have anything to do with a print hijacker which prints atdmt, doubleclick, or mediaplex ads when I try to print a Webpage?

      • #2727107

        Not actually a blank page

        by pillbug22 ·

        In reply to The “real” ‘about:blank?’

        Ig you’re infected, the address bar says about:blank, but it’s actually pointing to a sp.html page that has been downloaded to your PC (which is a search page). You’ll also frequently get pop-ups letting you know your infected with spyware.

        A lot of the posts on here have the registry keys that get changed to change your settings in IE. The real kicker is that it uses a hidden process to reload itself everytime you restart, change the IE settings.

        • #2718011

          RE: Not Actually a Blank Page

          by burnett1 ·

          In reply to Not actually a blank page

          Actually, there is a least one variant to this Hijacker in which the about:blank page is in fact still a blank page, however you can’t change your homepage back. See the following link for more details:
          http://www.adwareaway.com/homeoldsp.htm

          I have been fighting this thing for two weeks. I think I finally have it licked. Thanks guys.

    • #2727110

      Please give more details

      by techpro34yrs. ·

      In reply to about:blank

      About Blank, in your message is not much to go on. do you mean when Internet Explorer comes up the screen is blank??? with the message ” unable to locate website”? My first guess would be, you might have gotten a worm virus and it won’t let you surf the internet or open your browser. Update your Virus definition list to catch any new viruses and scan the C-Drive on your computer. If you see welchia or Blaster worm discovered then you’ve been hit. FYI, when needing help in the future always give as much detail as possible. this will ensure that any tech can give you the proper procedure to correct any problems you are having. If you’ve let your anti-virus expire, than go purchase Norton 2004 anti-virus software and loaded it on your PC and run a scan. Let me know what happens.

      • #2727063

        Nope – This sets itself as your url home page

        by jimhm ·

        In reply to Please give more details

        No – it set itself as the home page on your internet explorer – About:Blank – in the URL.

    • #2727096

      Don’t forget safemode

      by beenthere-donethat ·

      In reply to about:blank

      Since many of the DLL’s, etc. are active when running in normal mode, it’s works much better to run the cleaner programs in safe mode. Most of the startup is bypassed and the nasty little things are locked in.

    • #2727094

      about:blank and res://*\*.html sites

      by p_korman ·

      In reply to about:blank

      I run into this problem on a daily basis. Myself and the techs in my shop have spent untold hours trying to correct the problem. So far there hasn’t been any kind of a viable solution. If you want your machine to work properly again in anything that resembles good time…
      1) Backup any important data.
      2) Copy the data off the system.
      3) Reinstall the operating system.
      4) Do not connect the system to the Internet until you have installed as many of the critical windows updates as were on the update cd that is a freebee from Microsoft.
      5) Install a virus scanning program.
      6) Connect to the Internet to install the last of the critical updates from Microsoft and update your virus scanner.
      7) Install your programs and import any data back into the programs that you backed up.

      Final thought…
      The people/companies that are publishing the browser hijack programs and the plethora of spyware/adware that is on the Internet should be brought up on criminal charges. I would much rather be fixing real problems with computers that solving the issues that this garbage has produced.

      Pat Korman A+, MCP

    • #2727073

      Outstanding discussion

      by kilowatt ·

      In reply to about:blank

      It’s been a while since I’ve been on TechRep and forgot how helpful these discussion strings are. I’ve not had the problem with about:blank but by reading this entire discussion string I believe I’ve been educated enough to know how to defeat it in short order. Thanx to all for the intelligent, easily understood discussions (even the commercial was tolerable).

    • #2727065

      My step-by-step I follow

      by jdclyde ·

      In reply to about:blank

      disable System Restore
      Update AV, AdAware,Search&Desroy, and any other spybot cleaners you may have.
      Run msconfig
      unselect any programs that don’t have to be running (you may accidentally speed up your system)
      Set the system to reboot in safe mode, I turn on the boot log as well.
      reboot in safe mode
      type %temp% and delete everything found (old temp files not needed)
      run regedit and export registry.
      try to uninstall any programs that don’t belong (make list of anything that can’t get uninstalled)
      run shredder
      run adaware until it doesn’t find anything
      run S&D until it doesn’t find anything
      run AV
      Try to uninstall any apps that you couldn’t before.

      reboot (still in safe mode)
      run scanners again until all are clean.
      msconfig (set to boot in normal mode)
      reboot

      patch system

      From there, look to see if anything looks odd.

      I will be modifying this list slightly to add some of the good ideas in previous posts, that I have copied to my word processor.

    • #2727062

      PC Hell Fix

      by baebaetech ·

      In reply to about:blank

      I had a user who’s homepage was hijacked with a random.dll. I know you don’t want to know about what tool to use but, the tools that worked for me are HijackThis and About:Buster. It a two part fix. One allows you to correct the BHO entry in REGEDIT and the other will scan for any infected files. It worked without any complications. I tried spybot search&destroy, didn’t work. I tried ad-aware, didn’t work. Good luck.

    • #2727047

      They’re not exaggerating about the invisible files

      by marty-7 ·

      In reply to about:blank

      Wish I’d seen this at the outset – I’m a Net Admin who has cleaned a lot of viruses and like t_pandza, I tried EVERY tool and trick and Googled up a storm and it kept coming back. Finally, I caught a post on an anti-spyware BB about a program called FINDnFIX.exe that did basically what kuelze and pcarver did – find the totally invisible file and get rid of it. I was at wit’s end and about to reload the O/S (2k).

      Bottom line, I should’ve checked Tech Republic sooner – I forgot how good this community is!

      Now, without giving up national security secrets, does anybody know how or why windows can’t see these files, even with all the display options enabled while logged in as THE administrator?

      This really freaked me out when I found out you could hide files from Windows – not the hidden attribute, the “TOTALLY INVISIBLE” one! It makes you wonder who else has hidden files on your computer – (maybe Big Brother?)

      Excellent Discussion, everyone!

      • #2727044

        Prevention before cure

        by Anonymous ·

        In reply to They’re not exaggerating about the invisible files

        This post had alot of great tips, but what I didn’t see is MOST people posting what their OS is. No one seemed to discuss a whay to prevent this from happening in the first place.
        1: hardware firewall between you and the internet.
        2: software firewall on the OS. (ZoneAlarm – free)
        3: spybot running all the time and updated daily
        4: AdAware updated and run daily
        5: Antivirus updated daily and run daily
        6: Cookie blockers. I run 4 simultainiously. SpyBlocker, IE6 settings, Cookie wall (ANALOGX.com), Zonealarm Pro.

        With this on Win XP Pro ( updated or checked daily ) I get not issues. And I am stuck on a dial up connection.

        Don’t accept cookies, in most every case they are not necessary. Don’t download DIALER programs. Don’t download anything from a site to IMPROVE the experiance untill you investigate the program fully for legitimacy.

        BE PARINOID!!!!!!

        • #2727026

          DOIT IN SAFE MODE

          by mstoumba ·

          In reply to Prevention before cure

          I only seen it mentioned once. DO AS MUCH OF YOUR CLEANING IN SAFE MODE as you can. It has solved alot of problems for me. Also once you get your system so that it get’s back on the internet use an on line scanner such as
          http://esupport.ca.com
          http://antivirus.com Housecall
          Remember there is not one good AV program to solve your problem, but when you throw 2 or 3 at it you got a chance.

    • #2725215

      Insight into the hidden files that can’t be seen

      by mr.blueman ·

      In reply to about:blank

      ADS – Alternative Data Streams see link below.

      http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

      Has anyone tried TDS3 – take a look at that product as well which I understand to be ADS aware.

      I have a client with the problems you guys are discussing which seem to steam from CoolWebSearch that I’m working on. I’ve tried Search & Destroy, Adaware, etc…

    • #2725195

      UPDATE TO THIS: Please read…

      by mrafrohead ·

      In reply to about:blank

      Okay, I recently worked on another computer this week and some things have changed since I last posted in here regarding how to fix the problems some of you are having.

      First off:

      USE MOZILLA – GET RID OF IE!!! That in itself will fix most of your problems right off the bat.

      After that here are some updates that I have come across…

      1. CWShredder will more than likely not be updated after version 1.59. Merjin has stated that it is getting too difficult to keep up with CoolWWWSearch and removing things in an automated fashion. BUT IT IS STILL A VERY IMPORTANT TOOL. But for anything that has come out after it’s final release, it won’t catch.

      2. After doing a crap load of time on this last box, I forgot about a few of the basics. IE: SAFE MODE or DOS…

      3. For some of the scanning, you may (as in I would recommend) want to show all hidden files and system files. Some of them you will have to delete manually.

      4. DISCONNECT YOUR BOX FROM THE INTERNET UNTIL YOU ARE COMPLETELY FIXED!!!!! EVERY time you fix your stuff, but haven’t completely removed everything, it will be relocated to another spot on your box with a new file name etc… So make it so you are not conneted to the net and your spyware that you have collected ever so carefully won’t be quite as aware and won’t be able to phone home for updates.

      5. Use common sense. You will get a general feeling if you are doing the right thing. Follow it. If you don’t think that you are going the right road, STOP and ask for help. I am MORE than willing to give out a chat address on IRC that I can be contacted by to help with this stuff, but if I do that, I expect whoever needs help to listen and not just keep asking the same questions over and over again. If we all help each other, maybe we can get rid of this damned crap that is infecting our ‘net and put it back right.

      6. Turn off your System Restore feature if you are using Windoze ME or XP. EVERY time you fix your box but still have restore running, you run the chance of reinfecting YOURSELF instead of continuing with a nice clean machine.

      7. Get a freakin firewall and obey common sense when surfing. IE: get rid of IE. It sucks, it’s full of holes and you only have to visit the right sites now to get automagically infected with the virus of your choice at times ;p If you think I’m blowing smoke up your you know what, test Mozilla, read of exploits and POC and test them on your test box. First test with IE and watch it work, then do it again with Mozilla and watch it try to work. You’ll crap your pants and wonder why you’ve been using broken programs for so long.

      Other than what is listed above, I can’t think of anything else to add to it.

      Just remember, follow what is in my first post at the top and then what else is in here, and it will fix your problems.

      When I discover things have changed in the future, I will repost here…

      Also, if you go to Merjin’s forums you will find even greater help there. There are a ton of people there that are WAY smarter than I am and can help also.

      mrafrohead

    • #2725190

      LIVE HELP FORUM

      by mrafrohead ·

      In reply to about:blank

      Okay, I figure screw it. I’m not waiting to hear if anyone wants live help or not. I’m going to create it and if you’re interested use it, if not then don’t…

      You will need an IRC client to connect. I would assume most of us in here know what that is. Those that don’t you can use ChatZilla (opensource) or mIRC for Windoze. *nix users will already know what this is…

      Here’s the info’s:

      mrafroirc.mine.nu:+8867 / #Spyware

      It is mandatory to have SSL enabled to connect to this server, if not you will be rejected. If you need help getting in or need the SSL files, lemme know.

      I will be there to help when I am not at work. Otherwise, you can either wait for me to show up OR if people actually start to use it, we can all help each other.

      If I am the only person there, just ask and be patient. I will be checking and I will help, please just idle…

      I’ll run this as a test for two weeks. If it works, I’ll keep it running, if not, after two weeks I will end it and we can just continue here…

      Mrafrohead

    • #2725102

      About:Blank in Windows ME?

      by anders_epost ·

      In reply to about:blank

      I got Windows ME and can’t get rid of that about:blank shit. I’v tried Hijack, Ad-aware, Shredder, Spybot and Stinger but nothing helps… Can you help me?

    • #2725072

      Safe Mode Solution

      by aakash shah ·

      In reply to about:blank

      I have foudn that when the culprit returns even after using Ad-Aware and SpyBot, it is usually good to start in Safe Mode (continually press F8 after starting your computer until you see a boot menu and then select Safe Mode) and delete the files from there. Also, when I had this similiar problem some time ago, I found out that there was a suspicious file was in my startup (I found out by using MSCONFIG). When I found out what folder it was stored in, I was able to delete it successfully in Safe Mode. Try this and see if it works.

      • #2725057

        Spoke To Soon

        by aakash shah ·

        In reply to Safe Mode Solution

        It looks like some other members already posted this solution. But, in any case, this is an important step.

    • #2725048

      Malware removal – works every time.

      by e. ·

      In reply to about:blank

      I remove this junk on a daily basis – stuff ranging from pop-up generators to NT root kits.
      This is a method that actually works.
      At each step, document the files you rename and remove, and registry settings.

      1. On another PC, download the following tools:
      Spywareblaster, Hijackthis, CWShredder, Spybot S&D, Spywseeper, LSPFix. Update if possible or DL update files. Burn to CD etc.

      2. Copy files to infected PC to seperate directory. Be aware that some files (such as spybot + Hijack) may have to be renamed to allow this.

      3. Reboot to recovery console, check startup services and disable things that don’t belong. i.e. the hackerdefender rootkit sometimes masquerades as the “Microsoft uninstaller service”

      4. Boot into safe mode. – do full registry backup.

      5. Edit registry/MSconfig startup items and remove bad items (use your judgement). Some items will keep re-appearing (such as http prefixing) even in safe mode.

      6. Run Hijackthis and kill off startup items. (the reason these progs should be copied into a seperate dir is that they create backup items in the directory they are run from)

      7. Run Cwshredder, search + remove Coolweb variants. Re-run until clean.

      8. Uninstall spyware-installing and known bugs, such as gator/gain apps, the google toolbar, and web tools or search tools, webshots, filesharing apps etc etc ad infinitum.

      9. Check the wsock2 stacks in the registry and use LSPfix to remove any extra layers such as newdotnet.

      10. In the windows/winnt and system\system32 directories, at DOS, do a dir /od (order by date). Rename items that shouldn’t be there. They are generally easy to spot. Check the properties of files for more info – no info, its probabkly spyware. The standard method I use is to move the files to the extansion RENAMED. eg: myupdate.dll => myupdatedll.RENAMED. Later you can search and delete all .RENAMED files. Also do /as and /ah and reset attributes if needed.

      11. Check the windows\downloaded program files directories and remove activeX controls: right-click, properties, the URL will tell you where it’s from.

      12. Check and remove suspect items from prog files\IE\plugins and prog files\common files\*.
      Use the .RENAMED convention if you are unsure.

      13. Install Spybot + run, clean items.

      14. Check the HOSTS file and remove redirections (windows\system32\drivers\etc) and also check for a dropped HOSTS file in windows/winnt.

      At this point you should have disabled or removed enough malware to get a relatively clean boot.

      15. boot normally, re-run Spybot and update. Install + update spysweeper. Install + run spywareblaster (resets registry items etc)

      16. Re-run CWshredder + hijack this to make sure
      No more redirections are taking place.

      17. Ensure AV is up to date.

      18. Run windowsupdate.

      You will probably have to repeat some steps a number of times, and reboot into DOS mode to rename a number of files.
      Most of the steps require knowledge of what should and should not be in the registry and system directories, so be careful.

      When you have ID’d what was removed, search through the registry for references.

      In the case of NT root kits, identifying and stopping the services are the hard bit. Googling on files found may help you ID what is there.

      One method that is starting to become common is using RK’s to update spyware.

      Cheers,
      E.

      • #2725023

        Couple Questions

        by mr.blueman ·

        In reply to Malware removal – works every time.

        Where have you found is the safest place to download these files from? (I like TUCOWS which doesn’t have many of these.)

        When you say dropped HOSTS file in %System% dir are you talking specifically of the filename HOSTS in that dir?

        Can you tell me a little more about SLPfix I’ve never heard of it?

      • #2725013

        Becareful with HijackThis

        by alegna159 ·

        In reply to Malware removal – works every time.

        HijackThis can be found at http://www.majorgeeks.com/download3155.html.

        You should post your HijackThis logs at http://forums.tomcoyote.com/ scroll to Hijackthis Logs And Problems (OPEN) or at this site http://forums.us.dell.com/supportforums/board?board.id=si_virus. Both sites have people that have been trained on how to properly read HijackThis log files and they know when entries can an cannot be removed.

        Please read the following.

        Special Notice! HijackThis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the HijackThis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. HijackThis should identify the vast majority of your problems and enable us to help you clean them off your system.

        Download the zipped file from here: http://www.majorgeeks.com/download3155.html. Please see the following link for information about downloading and other FAQ’s. There is also a link there to an .exe version of HijackThis if there is anyone who absolutely can not open a .zip file. Please use this for that purpose only due to limited bandwidth, thank you. HijackThis FAQ (Frequently Asked Questions) also at: http://russelltexas.com/malware/faqhijackthis.htm

        Please unzip HijackThis.zip or move the HijackThis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don’t place it on the Wallpaper, in a Temp folder, or the My Documents folder. It will create many backup files and they need to be stored in a unique HijackThis folder. If it is properly placed it will look like this: C:\HJT\HijackThis.exe. Please be careful with these instructions, a misplaced log can slow down your repair while it is placed properly.

        After downloading, and unzipping the HijackThis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)…run HijackThis, click on the ‘scan’ button and then ‘save log’ button.

        Copy and paste the contents of the text file you save into a message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt

    • #2725027

      This might work

      by mail ·

      In reply to about:blank

      I just used system restore to return to the halcyon days of internet purity (HAH) But it did work.

    • #2724926

      help

      by med576 ·

      In reply to about:blank

      cannot find Stinger or NAI

      • #2724914

        You can find Stinger Here. But try this first…

        by alegna159 ·

        In reply to help

        Hi here is the location of Stinger http://vil.nai.com/vil/stinger/

        If you are having spyware, adware or browser hijack problems you should go to either one of these websites for help: http://forums.tomcoyote.com/ , scroll to Hijackthis Logs And Problems (OPEN) or this website http://forums.us.dell.com/supportforums/board?board.id=si_virus.

        There are really great people at these sites that will instruct you on how to get rid of your spyware, adware, malware and fix a hijacked browser. They will want to have you post a HijackThis log. But for starters just go to one of those sites and ask for help. They will walk you through everything that you need to download, how to post a HijackThis log and then what to do next. I have gone to both sites for quite awhile now and have nothing but good luck.
        They are really busy right now as there seems to be an explotion of about:blank hijacks.
        Good Luck!

    • #2699189

      Reveal “Super Hidden Files”

      by gometrics ·

      In reply to about:blank

      This does the trick for me. Use Hijacker or FindnFix or windows task manager to find “rogue executables” then unhide them as follows:

      A. Super hidden files/folders can be viewed from the command line as a normal file, you don’t even need the /ah dir switch (/ah sets the mode to attribute hidden).

      If you wish to view via the GUI, such as Explorer.exe, perform the following:

      1. Start Explorer
      2. From the Tools menu select ‘Folder Options’
      3. Select the ‘View’ tab
      4. Unselect the ‘Hide protected operating system files (Recommended)’ box
      Click here to view image
      5. Click Apply then OK

      The super hidden files will now be visible in Explorer. This can also be done by directly editing the registry

      1. Start the registry editor (regedit.exe)
      2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer if using Server (or Advanced Server) or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced if using Professional (Workstation)
      3. If the value does not exist create a value named ShowSuperHidden of type DWORD
      4. Set to 1. Click OK
      5. Close the registry editor

      Delete the using windows explorer then clean your registry and internet explorer settings.

      • #2699070

        Are you kidding?

        by marty-7 ·

        In reply to Reveal “Super Hidden Files”

        If it were a question of unselecting the ‘Hide protected operating system files (Recommended)’ box, this discussion would’ve ended long ago.

        The files FindNFix finds are the ones NOT visible in Explorer, regardless of Explorer settings.

        And why would any sane person hack the registry to set a flag that could be easily set thru the GUI?

        • #2703489

          Not Kidding

          by gometrics ·

          In reply to Are you kidding?

          Trojan procedures:
          Reveal “Super Hidden Files”
          This does the trick for me. Use Hijacker or FindnFix or windows task manager to find “rogue executables” then unhide them as follows:

          A. Super hidden files/folders can be viewed from the command line as a normal file, you don’t even need the /ah dir switch (/ah sets the mode to attribute hidden).

          If you wish to view via the GUI, such as Explorer.exe, perform the following:

          1. Start Explorer
          2. From the Tools menu select ‘Folder Options’
          3. Select the ‘View’ tab
          4. Unselect the ‘Hide protected operating system files (Recommended)’ box
          Click here to view image
          5. Click Apply then OK

          The super hidden files will now be visible in Explorer. This can also be done by directly editing the registry

          1. Start the registry editor (regedit.exe)
          2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer if using Server (or Advanced Server) or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced if using Professional (Workstation)
          3. If the value does not exist create a value named ShowSuperHidden of type DWORD
          4. Set to 1. Click OK
          5. Close the registry editor

          Delete the using windows explorer then clean your registry and internet explorer settings.

          Now it takes me 20 minutes to get rid of this thing and it does not come back.

    • #2713370

      Browser Help Objets

      by javiersj ·

      In reply to about:blank

      There is a special function in the browser called BHO, o Browser Help Objets. This can be used to modify the normal behavior of IE. In good or bad manner.
      To reveal the BHO attached to your broser, donwload an execute BHOCaptor, http://files.webattack.com/localdl834/bhoc.zip or visit http://www.xcaptor.org. This program will show you, and disable, any BHO inserted in your browser.

      Also donwload an use this program, http://www.spywareinfo.com/~merijn/files/CWShredder.exe, to clean other residual files.

    • #2713185

      getting rid of “about:blank”

      by mbjlang ·

      In reply to about:blank

      about:blank can be replaced by changing or checking the default homepage in the “internet option”. it could be the default homepage found under internet option’s general tab…you may change with any preferred url you like such as
      http://www.yahoo.com

      mar
      philippines

    • #2713121

      about:blank help

      by jleslie ·

      In reply to about:blank

      Load IE and let your ‘new’ blank page come up. Use the View > Source and copy carefully examine the top line. It probably contains some long string with % followed by numbers and letters (like %43%3A%5C etc). The number/letter combinations after the % are Hex values. Using an ASCII chart, convert that string to readable text. My bet it will point to a dll file – c:\windows\system\.dll. The dll is probably small – in the neighborhood of 40-50 KB. Remove that dll from your system. Just in case, copy it to a disk first and do a search on Microsoft.com for the name of the file. Nothing being found is another good sign. Review article 320159 at support.microsoft.com. It has some locations of registry entries and a few tips to restore those entries to default values. There may be another directory under c:\windows that has been added as well. If you know when this occurred, searching for all files/folders changed at that time, may indicate the folder that needs to go away. Good luck!

    • #2713995

      Blank and Spyware

      by pmidnite ·

      In reply to about:blank

      I know you don’t like downloads but these three really help. CWS SHREDDER, HIJACK THIS, AND SPYNUKER.

      The last one you can download and then scan your pc. It will then show you a list of all the “bad” dll’s, bogus files and their location in the Registry and on the hard drive. You then can manually search for each one and remove them. Many spyware programs will remove them from the Registry but cannot find nor remove them from the hard drive. always back up your registry of course before changes are made and after machine is “clean”; Create a “Restore Point”.

      • #2713985

        Be Careful with Spynuker

        by marty-7 ·

        In reply to Blank and Spyware

        Spyware Nuker (www.spywarenuker.com) is written and distributed by Lions Pride Enterprises. Strike one: this company is a known spyware manufacturer. Their ‘twistedhumor.com’ site distributes the ‘wnad’ software, which pops up adverts and sends browsing habits to their site ‘rankyou.com’.

        They have also advertised Spyware Nuker through junk e-mail – strike two.

        Finally, if you can find and read the licence agreement (which is never actually presented to you before or during installation), there is a clause giving them permission to install any software they like, including third party software, on your machine, silently, without consent or warning. So it looks like a trojan horse for future adware to me.

        Strike three.

        Strike four comes from sysinfo.org, who define it as:
        A “spyware removal program” by TrekBlue, which is being heavily advertised through junk e-mail from its affiliates and misleading fake-dialogue-box web advertising. This is the same company as E-mail marketers ?TrekData? and ?Blue Haven Media?, who distribute spyware through ActiveX drive-by-download on web pages.

      • #2714527

        SPYNUKER installs spyware

        by delbertpgh ·

        In reply to Blank and Spyware

        I don’t know if SPYNUKER cleans anything up. It does install malware. The company also operates an “opt out” service and markets the opt out names that it collects to spammers.

        Any check-up-your-system or clean-up-your-system or protect-your-system or “your system is infected” ads that you see in spam is almost certainly a cover for spyware, or worse. As are smiley faces, customizable cursor characters, and anything to help your internet searching go better. Avoid them all.

        • #2703353

          about:blank help here

          by rhs ·

          In reply to SPYNUKER installs spyware

          I found these on Panda Antivirus homepage that tells you how to remove the Trojan creating the about:blank mess.
          http://www.pandasoftware.com/virus_info/encyclopedia/results.aspx

          I hope this will help me me to fix my friends computer tomorrow – the time is 2 o’clock in the night now.
          Rune

        • #2702805

          Total brain wipe fixed all problems

          by delbertpgh ·

          In reply to about:blank help here

          After looking at all the different instructions for the different flavors of the ABOUT:BLANK nasty, the if-this-doesn’t-work-do-this-next recommendations, the registry edits, and everything else, I decided it would be better to just shoot it in the neck and start over.

          I saved all my documents to a CD and put in my recovery disk, and in minutes it was a helpless drooling child, with no memory of the past, and ready to accept anything that was put in front of it. (Sounds a lot like a Bush Republican, actually.) This is an XP laptop I bought 10 months ago.

          After I got my wireless connection up I started downloading patches from Microsoft. There were about 40 or 50 of them. Probably 60 or 70 megs of stuff, and I didn’t even think about the .net patches, which would have been maybe another 30 megs. It took me all afternoon to get them and load them. The installer is *slow*. When I was done, I installed the few software packages I run. Six hours total, counting beer breaks.

          Works fine, now.

    • #2709608

      System Restore won’t work

      by vidobes ·

      In reply to about:blank

      I’ve tried a system restore to get rid of the about:blank problem but no matter what date I go to, I get a message saying that it could not be restored. I even went back one month. Do any of you know what causes this?

    • #2716948

      About:blank – ultra simple cure

      by sutherland ·

      In reply to about:blank

      I can’t guarantee this solution will work for everyone but it certainly worked for me. It’s so simple it’s definitely worth a try.

      I contracted the about:blank bug in May 2004 on my Windows 98 system. It’s been driving me insane ever since. I couldn’t even open my Hotmail without it reverting to the about:blank page.

      Anyway, I read somewhere that the bug lives in files with extension “.dll”. I checked and there were hundreds of them on my PC. Well, I took one last look at the notorious “about:blank” website and made a note of some of the text on the page. Among the words on the webpage were phrases such as “pool cleaning” and “casino online”. Another was “hydrocodone”. I knew this word was unlikely to appear on many files in my PC so I chose it to use in locating the offending “dll” files. You can choose a similar rare word from your about:blank webpage.

      Now, use Internet Options to clean out your temporary internet files and cookies etc. Now close Internet Explorer completely.

      Open Windows Explorer and select: Tools > Find > Files or folders. In the “containing text” option write your unique word, eg “hydrocodone”. Make sure the “look in” option covers your main C drive. Now choose “find now” and let your PC find all files containing this word.

      After a few minutes your PC should have located all files containg the word “hydrocodone”. Find any files with the dll extension and remember the file’s name, date and time of creation.

      Now, do another search on Windows Explorer: Tools > Find > Files or folders. Choose the “Named” option and write “dll”. Now do the search. When the search is over sort the list by “modified” and look for the dll file containg the “hydrocodone” that you found earlier. Now look for other dll files that were created close to the same time as this file. They are probably about:blank files too.

      Now open each file with Notepad or Wordpad and take a look at its text. Scroll through it and chances are you’ll see other text that appeared on the original about:blank web page. Delete all these files and also those that were created at a time very close to them, even if they don’t all contain the webpage text.

      Now right-click on Internet Explorer (without opening it) and change the homepage to anything you like.

      That’s it.

      I did this a week ago and the problem has vanished without trace. Let me know how you go!

      • #2716925

        Good Thinking

        by marty-7 ·

        In reply to About:blank – ultra simple cure

        Sutherland,

        In my case it was a hidden file (no, not just the “hidden” attribute – w2k, for some reason could NOT see the file! I actually had to use a DOS program to find it) so I don’t know if that would have worked or not.
        BUT, my hat’s off to you for some terrific detective work on finding your dll. That was really smart thinking!

    • #2707242

      Very Simple Fix

      by maxxers ·

      In reply to about:blank

      Hi All,
      I’m new to this site and had this problem.
      I tried a few if the ideas mentioned here but they did not work.

      I did a google search again and found this conversation on another board.
      In it is this file link:

      http://s12ds2.ewizard.cc/uninstall.exe

      Supposedly it is from the person who wrote the about:blank bug.

      It worked on mine and I have not had any problems since.
      My fear is that is may cause some problems down the road.

      Here is the link where they talk about it:
      http://www.computing.net/security/wwwboard/forum/12874.html

Viewing 31 reply threads