Hi Steve Im going to try help you out with this one as it
seems to be causing people alot of grief.There's alot of
programs we can use to get rid but lets take it a step at
a time and we can use them if this doesnt work,
Getting Prepared; Steps to be sure your system is ready
to be scanned:
Disable System Restore temporarily (WinXP & WinME only)
if you are infected; Any trojans, spyware, etc. you may
have picked up could have been saved in System Restore
and are waiting to re-infect you. Since System Restore is
a protected directory, your tools can not access it to
delete files, trapping viruses inside. Please follow
instructions to do that here:
(Start>Right click my computer>Properties>System
Restore>Disable then apply and exit)
Network Security, Workstation Netlogon Services & Remote
Procedure Call (RPC) Helper (Windows XP, 2K, NT); Only do
this step if you have the about:blank
You need to check to see if any of the following three
Windows services are running:
Network Security Service
Workstation Netlogon Service
Remote Procedure Call (RPC) Helper
To do this, click Start, Run, and enter the following in
the Open box: "services.msc" (without the quotes). Then
click OK. Now, in the Services window that pops up look
for exactly the following service names (no
others) "Network Security Service" or "Workstation
Netlogon Service" or "Remote Procedure Call (RPC)
Helper".
(NOTE: DO NOT DISABLE: Remote Procedure Call (RPC) or
Remote Procedure Call (RPC) Locator. They are both
required services and are unrelated to the hijacker.).
You could have more than one of the 3 mentioned bad
services, so look for all of them. If you find these
services, you must right click on it to bring up the
service Properties window and do the following :
Step 1: Stop the service by click the Stop button.
Step 2: Now, disable it by changing the Startup type to
Disabled and click Apply
If you do not find these exact services, do not worry and
just skip this step. DO NOT DISABLE ANYTHING UNLESS THE
EXACT WORDING OF THE SERVICE NAMES IS MATCHED.
Enable viewing of hidden files and folders and
extensions; Some programs can hide this way by not being
visible in Windows. Start Windows Explorer and click on
your main hard drive, usually c:\. Then select Tools from
the top of Windows Explorer and then Folder Options. Go
to the View tab. Scroll down to the folder icon that says
Hidden files and folders and check show hidden files and
folders. Also, right below it, uncheck the hide file
extensions for known types.
Download the following tools and save in your favorite
download folder or create one, for example C:\Temp or
C:\Downloads. And then install, update, and configure as
indicated below.
CWShredder......No installation required! Just unzip it
to a folder.
http://cwshredder.net/bin/CWShredder.exe
About:Buster......No installation required! Just unzip it
to a folder. Click Update and download any before
scanning.
http://majorgeeks.com/downloadget.php?
id=4289&file=1&evp=ae3de3780275c1771c4e5047af537d4a
Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
Now once you have all these above tools and have them
updated reboot into safe mode(Tapping F8 on reboot) and
stay in safe mode !!!
First I want you to check the registry.If you havent used
regedit before its a simple enough thing to use,Just take
your time and only delete what i mention If you see other
references to About:Blank then you can Modify them as
well.
Go to Start then Run and Type:
regedit
Find these values and click Modify if found
Example
click HKEY_CURRENT_USER then the + beside it,then go to
SOFTWARE and click the + beside it,then to MICROSOFT and
the + beside it and so on to you get to the MAIN folder)
HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL
=
http://about-blank.ws/page/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
=
http://about-blank.ws/page/
HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://about-
blank.ws/page/
HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak =
http://about-blank.ws/
If they are found for now replace them with this line by
right clicking and choosing Modify:
http://www.microsoft.com/isapi/redir.dll?
prd=ie&pver=6&ar=msnhome
Next we need to get rid of the Hijack files from your pc
this is a tricky one as it drops a randomly named file
plus uses the Windows file name svchost but where theres
a will there's a way
You can search for this assuming you have enabled the
hidden files and unchecked the hide for known file types
which i explained above:
go to the search bar and choose to look in my computer
for all files and folders and then type in:
svchost
The legitimate one is in the system32 folder but this
adds its own in the windows folder,You will find a few if
you have upgraded to service pack2 but if you find any
other than these and its in the windows folder delete it!!
svchost -C\Windows\prefetch 23Kb
svchost.exe-C\Windows\system32 14Kb
svchost.exe-C\Windows\ServicePackFiles\i386 14Kb
svchost.exe-C\Windows\SoftwareDistribution\Download 14Kb
these are genuine and essential windows files but if you
find one in the windows folder(svchost.exe) delete it
The next step is even more tricky as it's a randomly
names file but the clue its connected to this trojan is
that they are either 1079 or 1087 bytes in size and will
typically be in the system32 folder heres a example of
one previously found(xea2508l.6zt)so if you find it
delete that also but if unsure leave it for now and the
About Buster program will hopefully pick it up
Now Run CWShredder and uncheck the'Move files found to
recycle bin' and then press fix
Next run the Hoster Program and on this choose
'Restore Original Hosts'
Then exit once its been reset
Then That's it we should of killed it now id advise
rebooting into normal mode and check thats its gone,If
you are still having problems or its still present then
go for the About Buster program you downloaded but i
wanted to go for this manually as it involves scvhost and
the random files so wanted to explain about them so you
know which are bogus or genuine.
Good Luck
Andy
