Internet Explorer has been hijacked by "About:Blank"

  • Thread starter Thread starter Lloyd Wolf
  • Start date Start date
Hi Tom - Sounds like this might be a variant of some malware called
CoolWebSearch (if CWShredder doesn't fix it, then see AdAware, SpyBot, and
HijackThis, below, in that order). You can read about CWSearch here: The
CoolWebSearch Chronicles
http://cwshredder.net/cwshredder/cwschronicles.html


A good general "malware" removal site FAQ's with pretty good step-by-step
instructions is available for review here:
http://www.spywarenation.com/modules.php?name=FAQ


Read all of the following carefully first, then do the following in order:


#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:

http://www.cexx.org/lspfix.htm

AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257

or here for Win2k/XP http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm

The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.

NOTE: It is reported that in XP SP2, the Run command netsh winsock reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:

netsh int reset all
ipconfig /flushdns

See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########



#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Clean Boot - General Win2k(if w/msconfig)/XP procedure, but see below for
links for other OS's:
1. Start|Run enter msconfig.
2. On the General tab, click Selective Startup, and then clear the Process
System.ini File, Process Win.ini File, and Load Startup Items check boxes.
Leave the boot.ini boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button.
4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########

Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem



Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure to read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm


Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here: http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). (If you download and use the updater from
the beginning, it will automatically handle downloading the other files.)
Place them in a dedicated folder after appropriate unzipping. Show hidden
and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
Disable Restore if you're on XP or ME (directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), then boot to
Safe mode (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
in Safe mode and clean or delete anything it finds. Reboot to normal mode
and re-run the scan again.

This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.


Download and run the trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above.



Download, UPDATE before running, and run:
http://cwshredder.net/bin/CWSInstall.exe from this page:
http://www.intermute.com/spysubtract/cwshredder_download.html (The new v.2+
which will automatically install in C:\Program
Files\InterMute\SpySubtract\CWShredder.exe and put a shortcut on the
Desktop. Run the program from this install location or the shortcut after
installation. This recommendation for CWShredder is NOT automatically a
recommendation for the other programs adverstised by Intermute in
conjunction with this install.) or from here:
http://www.aumha.org/downloads/cwshredder.exe (v.2+ standalone) or here:
http://www.softpedia.com/public/scripts/downloadhero/10-17-150/ (v.2+) to
remove the parasite. Try to run from Safe mode or a Clean Boot and be sure
to close ALL other programs to the extent possible, expecially ALL
instances of IE and OE.


There's a good tutorial about CWS and using CWShredder here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain See
also: http://cwshredder.net/cwshredder/cwschronicles.html

BE SURE that you get v.1.59.0.1 or later or the new v.2! Note that
CWShredder may make deletions/changes to your HOSTS file (sometimes as false
positives), and that after cleanup you may need to restore it with a fresh
copy of any local DNS and/or blocking entries or disable it before running
CWShredder.


You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.

The following links give instructions on how to do these various functions:


HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
(WinXP)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
(WinME)
or http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (Both)



Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions if they've been affected (as they probably will have
been).


Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093

which blocks the exploit upon which this parasite family depends.


Lastly, there are extensive, detailed instructions for manual removal of CWS
variants here: http://www.pestpatrol.com/PestInfo/c/cws.asp You may want
to check these to be sure everything's been cleaned up.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x or later, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.

Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 or the
directions immediately below and run this regularly to get rid of most
"spyware/hijackware" on your machine. If it has to fix things, be sure to
re-boot and rerun AdAware again and repeat this cycle until you get a clean
scan. The reason is that it may have to remove things which are currently
"in use" before it can then clean up others. Configure Ad-aware for a
customized scan, and let it remove any bad files found.....

<Begin Setup Directions>
Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:

General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."

Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
<End Setup Directions>

Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click “Activate Cloakâ€. Then open
Ad Aware and scan your system.


Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial
here: http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.

After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others. Note that
sometimes you need to make a judgement call about what these programs report
as spyware. See here, for example: http://www.imilly.com/alexa.htm
Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.


When done, go to Start|Run and enter one line at a time (or much easier,
open a DOS box and copy the following in its entirety and then paste it into
the box):

regsvr32 hlink.dll
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll


with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).

If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.

Re-start your computer when you've finished.



If they don't fix it then start here:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
or here: http://www.bleepingcomputer.com/files/spyware/hijackthis.zip

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT (have ONLY HT running - IE MUST be
closed) then press Scan. Click on SaveLog when it's finished which will
create hijackthis.log. Now click the Config button, then Misc Tools and
click on Generate StartupList.log which will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html



Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."


*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


Once you get this cleaned up, you might want to consider installing Eric
Howes' IE-SpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:

IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory
load - but keep it UPDATED) The latest version as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.

http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. All three Very Highly Recommended

SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here: http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Recommended as a supplement
to SpywareBlaster. Read all of the instructions in the Expert package
download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this (or others, for that matter) list.


Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm
(Be sure it's named/renamed HOSTS - all caps, no extension) Additional
tutorials here:
http://www.bleepingcomputer.com/forums/index.php?s=14f3f9225081133297a8acdd11137c5b&showtutorial=51
(detailed) and here: http://www.spywarewarrior.com/viewtopic.php?t=410
(overview)


Finally, be sure that you have a good hardware or software firewall and an
AntiVirus installed, and bring your OS up-to-date with ALL Critical updates
from Windows Update.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
I got the about:blank and was able to get rid of it with Shredder. At the
same time my desktop now has the following HTML warning:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

WARNING!
YOU'RE IN DANGER!
ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT
SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO
REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS.
AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
Every site you or somebody or even something, like spyware, opened in your
browser, with all images, and all downloaded and maybe later removed movies
or mp3 songs - ARE STILL THERE and could broke your life!
SECURE YOURSELF RIGHT NOW!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Anyone know how to get this off my desktop?

Thanks,
Dave
 
Dave Throop said:
I got the about:blank and was able to get rid of it with Shredder. At the
same time my desktop now has the following HTML warning:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

WARNING!
YOU'RE IN DANGER!
ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU
VISIT
SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO
REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR
FORENSICS.
AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
Every site you or somebody or even something, like spyware, opened in your
browser, with all images, and all downloaded and maybe later removed
movies
or mp3 songs - ARE STILL THERE and could broke your life!
SECURE YOURSELF RIGHT NOW!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Anyone know how to get this off my desktop?

Thanks,
Dave

First eliminate any spyware.
What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

CAUTION!!!!! Before you try to remove spyware using any of these programs ,
download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

See
Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Note that AdAware and SpyBot S & D will each catch some things the other
won't. Also, each needs to be updated with the program's update function
before every use, even when just downloaded. There's also a lot more to do
than just those two programs. CWShredder is also available here:
http://www.intermute.com/products/cwshredder
**Post your HijackThis log to
http://www.spywareinfo.com/forums/
http://forums.tomcoyote.org/
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/ or the Spyware forum at
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**
Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder
may be found on this page:
http://aumha.org/a/parasite.htm.

See this link for information about malware:
http://arstechnica.com/articles/paedia/malware.ars

If nothing there helps, please post back to this thread.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
 
We are running Windows XP and cannot find the hidden file name in AppInit_DLL
value... Do you have any suggestions where this hidden file is in windows XP?

Thank you!
 
Dana said:
We are running Windows XP and cannot find the hidden file name in AppInit_DLL
value... Do you have any suggestions where this hidden file is in windows XP?

Where are you finding instructions about that value?

There seem to be many more instructions about this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

(note the trailing s)


Try a search for that instead?

http://www.microsoft.com/windows/ie...19a1&catlist=&dglist=&ptlist=&exp=&sloc=en-US

Thank you!


HTH

Robert Aldwinckle
---
 
My IE has recently been hijacked by "About:Blank." I have tried Spybot,
Adaware, CW Shredder, etc. but none of it has eliminated the problem. I tried
the manual method described below, but I could not come up with the .dll file
that could be imbedded in the system. The "About:Blank" bug I have got not
only took over my home page setting, but also keeps generating unwanted
pop-up ads, generating unwanted websites in the "Favorite" tab, and slows
down the booting process considerably. Does anyone have any suggestions?

Thanks,

SN
 
Go to: http://mvps.org/winhelp2002/unwanted.htm
Download "Hijack This!" [freeware]

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates: "hijackthis.log")

Next, go to the below location:
http://www.spywareinfo.com/forums/

Sign in, go to the "Spyware and Hijackware Removal" section.
Press "New Topic" and post a description of your symptoms. If they need to
see your log they will ask for it.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
 
Hi,
I really appreciate Lloyd's efforts in trying to solve the about:blank
problem, but I am just a normal computer user, and cannot begin to follow the
unfathomable SecuriTeam.com explanation. Is there anyone out there, that can
explain, in normal English, how on earth I can get rid of about:blank. I
have not been able to do any work for 10 days now, I have tried SpyBlocs,
Norton & Spybot, none of which can eradicate this thing. Any help would be
greatly appreciated.
Regards, Nigel.
 
I had, sorry, have, this problem right now. It said the pop-ups were coming
from www.vv3.s13.tempx.cc (Is that right, i don;t know =) Anyways, I managed
to stop the pop-ups (Use Hijack this, and registrar lite) But, every
[e-mail] account I set up, when I go in to view the mail, it gives me two
pop-ups and redirects me to a page called "about:blank" What is so odd is,
that when you view the pop-ups, it has one of those fake dialog boxes,
telling you that you have spyware installled on your machine. If, out of
curiosity, you click it, it takes you to it's own search engine, and
automatically searches for "Spyware" It comes up with hundreds of VALID
links for spyware removal tools. If by chance, you use their search engine
to search for "about:blank" or "tempx.cc" It gives you answers containing
highly pornographic material.
 
I also had this problem on my computer and amazingly found a solution. I got
a message that popped up (the message was from the Microsoft Antispyware
program I'd gotten from Microsoft.com and installed) telling me that there
was a hijacker trying to change my browser homepage, so I deleted the folder
it was in. On my PC, the file was in C:\
Documentsandsettings\MC57B~1.Kro\LOCALS~1\Temp\sp.dll\sp.html
NOTE! The folder "MC57B~1.KRO" should be different on your PC because It
includes letters of my last name. It shouldn't be hard to find because it
was the only folder that was 0KB in size. So I deleted the "temp" folder and
this got rid of the hijacker.

I hope I've been helpful
 
Hi People,

let me try help you... Please do not spent your money buying removal
programs because you can fix your problem easyly.

Some days ago I got the same problem and I fixed it with the following steps :

1. Open your Windows explorer

2. Open your disk C:

3. Open Documents and Settings folder

4. Open the folder with your name (Administrator in my case)

5. Open the Local Settings Folder.

At this point you can see the folder TEMP.

Delete this folder, it hides the code of about:blank. This folder will be
built later automatically, but the code of about:blank will be destroyed.

Don't be worry about deleting the folder TEMP it only has temporary files
and cookies.

Hope this helps you.

Ricardo R. Pitti
 
After many hours of trying to get rid of this nasty pest using AdAware,
SpyBot, CW Shredder, Adware Away, AVG, RegLite, and Bulldog, I finally gave
up and copied my data onto an external hard drive and went through a complete
system restore, including reformatting. I know there must be another way,
but the parasite seems to change constantly - it would seem to be gone, then
would be back.

Does anyone know if Microsoft is doing anything to help with these pests?

Chris
 
Che' said:
I tried to go to this site, but had no idea how to do any of the things it said to do. I HAVE to get this about:blank stuff off my computer-I work from home on my computer and it is now not allowing me to do my work. PLEASE HELP! I've tried everything-spybot, Norton anti-virus, changing my browser settings, etc.

Nothing seems to work permanently with this one. Ad-aware got rid of it for
a while, bug somehow it sneaked back on. The only solution I have found is
to use firefox browser instead (available on http://www.mozilla.org/ ) and
give up with Internet Explorer
 
Thankyou very much,I had tried everything,tech support etc.I received 75
Trojan Horses and Bloodhounds yesterday.None of the various spywares helped
but following your instructions everything is great,a big relief.
Many Thanks Brian Mullan

H Leboeuf said:
You have some parasites in your computer. The new version of AdAware may be
the only tool you will need. If not then get them all and clean your
computer.

Try this: Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions

If this clears your problem then find out who the culprit(s) is/are with
these tools.

Let AD-Aware Scan your system for advertising Spyware
http://www.lavasoftusa.com

If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS
file. This now creates a "Bad hosts file entry" in the log file generated at
the end of a scan. The best thing to do is to place a check in each entry,
right-click and select: "Add selection to ignorelist". Otherwise if you let
AWW "fix" these items it will trash the HOSTS file! Even if you have it
"locked" by [example] SpywareBlaster or Winpatrol. It does not return the
attributes and renames the HOSTS file incorrectly to hosts.

and:

SpyBot-S&D
http://security.kolla.de/

p.s Reset the 3rd party browser setting.

More: This may be caused by a third-party program (adware, spyware,
parasite).
Get AdAware and SpyBot and run them both. Keep them up to date.
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Additional link:
http://aumha.org/a/quickfix.htm

You may need this removal tool.
More: Complete list by variant with up-to-date information.
http://www.spywareinfo.com/~merijn/cwschronicles.html
More: Removal tool: http://www.spywareinfo.com/~merijn/files/CWShredder.exe

CWShredder - Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

IMPORTANT:
Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware may kill your internet connection when it is
removed, this program will enable you to regain your connection.
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)


Important: "So how did I get infected in the first place?"
http://forums.net-integration.net/index.php?showtopic=3051

--

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
KMB said:
I added "about:blank" to the restricted list - don't know if it worked. I
found the following in my trusted sites.
http://*.63.219.181.7
I didn't put it there, I don't know what it is and when I remove it, it
comes back. Think it's related to about:blank?
Thanks for any help...KMB
 
I worked most of this past weekend trying to get rid of about:blank, internet
optimizer and "abetterinternet." I used xoftspy and though it reported that
it removed everything (132 various baddies!), about:blank persisted, and now
I cannot use Internet Explorer at all! when I type in a url, it just sends
me a page error. I'm about at the end of my rope, and am considering a clean
install of the OS after backing up all of my data. Short of that, anyone
have any other suggestions?????



Brian Mullan said:
Thankyou very much,I had tried everything,tech support etc.I received 75
Trojan Horses and Bloodhounds yesterday.None of the various spywares helped
but following your instructions everything is great,a big relief.
Many Thanks Brian Mullan

H Leboeuf said:
You have some parasites in your computer. The new version of AdAware may be
the only tool you will need. If not then get them all and clean your
computer.

Try this: Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions

If this clears your problem then find out who the culprit(s) is/are with
these tools.

Let AD-Aware Scan your system for advertising Spyware
http://www.lavasoftusa.com

If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS
file. This now creates a "Bad hosts file entry" in the log file generated at
the end of a scan. The best thing to do is to place a check in each entry,
right-click and select: "Add selection to ignorelist". Otherwise if you let
AWW "fix" these items it will trash the HOSTS file! Even if you have it
"locked" by [example] SpywareBlaster or Winpatrol. It does not return the
attributes and renames the HOSTS file incorrectly to hosts.

and:

SpyBot-S&D
http://security.kolla.de/

p.s Reset the 3rd party browser setting.

More: This may be caused by a third-party program (adware, spyware,
parasite).
Get AdAware and SpyBot and run them both. Keep them up to date.
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Additional link:
http://aumha.org/a/quickfix.htm

You may need this removal tool.
More: Complete list by variant with up-to-date information.
http://www.spywareinfo.com/~merijn/cwschronicles.html
More: Removal tool: http://www.spywareinfo.com/~merijn/files/CWShredder.exe

CWShredder - Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

IMPORTANT:
Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware may kill your internet connection when it is
removed, this program will enable you to regain your connection.
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)


Important: "So how did I get infected in the first place?"
http://forums.net-integration.net/index.php?showtopic=3051

--

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
KMB said:
I added "about:blank" to the restricted list - don't know if it worked. I
found the following in my trusted sites.
http://*.63.219.181.7
I didn't put it there, I don't know what it is and when I remove it, it
comes back. Think it's related to about:blank?
Thanks for any help...KMB

:

Sam wrote:
Here are some other methods that may assist.

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

http://www.softwarepatch.com/tips/about-blank-adware.html

Sam

Hello. Looking for a little help....

I have a customer running Internet Explorer v6, on a computer running
Windows 2000 Professional.

Internet Explorer has been hijacked by "About:Blank"

We have run the Ad-aware 6 and also Spybot Search & Destroy software.
Neither one seems to be able to get rid of "About:Blank" permanently.

Doing a Google search, I have seen lots of people having lots of problems
with this one.

Does anyone have a solid solution for getting rid of the "About:Blank"
hijacker ?

Thanks in advance.

Lloyd Wolf
Wolf Consulting, Inc.





Tools/Internet Options/Security/Restricted Sites.

Add "about:blank" to the restricted list.

courtney sends....
 
Hi Tammy :-)

Here is what you ahve:

About:Blank - What is it? How to remove it
http://www.adwarereport.com/mt/archives/000068.html
http://www.pchell.com/support/aboutblank.shtml
http://www.whizatpc.com/kbase/ka10148.html

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

In order to fully remove it, do the following. Some variants can replicate
themselves continually until they are properly removed. Follow the
instructions for the information below and it should clean your system.
Make sure you run the scans in Safe Mode and with Hidden files enabled in
order to keep the scumware from hiding in Windows files that are in use.

NOTE: If you can not download these programs from the Internet, if your PC
has CD read capabilities, go to another computer with CD-ROM burning
capabilities. Create a folder on the hard drive of the other computer called
HOLD, download the programs to that folder, then burn that folder to a CD.
Copy the HOLD folder to your HD and then install the programs from there
and run them. After you have IE access again, update all programs where
possible to get the latest definitions and run them again in Safe Mode to be
sure there are no lingering items on the system.

Most importantly, download and run CWShredder, download from here:
http://www.majorgeeks.com/download3019.html
and this program, which searches for hidden .dlls that recreate the malware.
About Buster:
http://www.majorgeeks.com/download4289.html
Then visit these two sites to test for parasites and help basic cleaning:
On-Line Check
http://aumha.org/a/noads.htm
and
Quick-Fix Protocol.
http://aumha.org/a/quickfix.php
Basically, throw everything here at your "infection".

Also download and install HiJackThis -

How to download and install HiJackThis:
http://www.bleepingcomputer.com/forums/topict309.html

Please DO NOT post your log to this newsgroup. It is important that you go
to one of the HiJackThis Support Forums below and allow the experts there
to analyze it for youPlease DO NOT post your log to this newsgroup. It is
important that you go to one of the HiJackThis Support Forums below and
allow the experts there to analyze it for you.
CastleCops HiJackThis Forum
http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums. Please
follow all posting instructions carefully to avoid having your log deleted
or ignored.)

Please post a link to the forum where you post your HJT log back to this
thread so that we can follow your progress there.

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

You should also get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also….. From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

How to Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

How to Show Hidden Files
http://snipurl.com/6rl8

Finally, go to Windows Update and ensure that ALL Critical updates are
installed.

Hope this helps :-)

Jan :)
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

I worked most of this past weekend trying to get rid of about:blank,
internet
optimizer and "abetterinternet." I used xoftspy and though it reported
that
it removed everything (132 various baddies!), about:blank persisted, and
now
I cannot use Internet Explorer at all! when I type in a url, it just
sends
me a page error. I'm about at the end of my rope, and am considering a
clean
install of the OS after backing up all of my data. Short of that, anyone
have any other suggestions?????



Brian Mullan said:
Thankyou very much,I had tried everything,tech support etc.I received 75
Trojan Horses and Bloodhounds yesterday.None of the various spywares
helped
but following your instructions everything is great,a big relief.
Many Thanks Brian Mullan

H Leboeuf said:
You have some parasites in your computer. The new version of AdAware
may be
the only tool you will need. If not then get them all and clean your
computer.

Try this: Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions

If this clears your problem then find out who the culprit(s) is/are
with
these tools.

Let AD-Aware Scan your system for advertising Spyware
http://www.lavasoftusa.com

If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS
file. This now creates a "Bad hosts file entry" in the log file
generated at
the end of a scan. The best thing to do is to place a check in each
entry,
right-click and select: "Add selection to ignorelist". Otherwise if you
let
AWW "fix" these items it will trash the HOSTS file! Even if you have it
"locked" by [example] SpywareBlaster or Winpatrol. It does not return
the
attributes and renames the HOSTS file incorrectly to hosts.

and:

SpyBot-S&D
http://security.kolla.de/

p.s Reset the 3rd party browser setting.

More: This may be caused by a third-party program (adware, spyware,
parasite).
Get AdAware and SpyBot and run them both. Keep them up to date.
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Additional link:
http://aumha.org/a/quickfix.htm

You may need this removal tool.
More: Complete list by variant with up-to-date information.
http://www.spywareinfo.com/~merijn/cwschronicles.html
More: Removal tool:
http://www.spywareinfo.com/~merijn/files/CWShredder.exe

CWShredder - Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

IMPORTANT:
Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware may kill your internet connection when it
is
removed, this program will enable you to regain your connection.
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is
Win2k or
XP)


Important: "So how did I get infected in the first place?"
http://forums.net-integration.net/index.php?showtopic=3051

--

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
I added "about:blank" to the restricted list - don't know if it
worked. I
found the following in my trusted sites.
http://*.63.219.181.7
I didn't put it there, I don't know what it is and when I remove it,
it
comes back. Think it's related to about:blank?
Thanks for any help...KMB

:

Sam wrote:
Here are some other methods that may assist.

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

http://www.softwarepatch.com/tips/about-blank-adware.html

Sam

Hello. Looking for a little help....

I have a customer running Internet Explorer v6, on a computer
running
Windows 2000 Professional.

Internet Explorer has been hijacked by "About:Blank"

We have run the Ad-aware 6 and also Spybot Search & Destroy
software.
Neither one seems to be able to get rid of "About:Blank"
permanently.

Doing a Google search, I have seen lots of people having lots of
problems
with this one.

Does anyone have a solid solution for getting rid of the
"About:Blank"
hijacker ?

Thanks in advance.

Lloyd Wolf
Wolf Consulting, Inc.





Tools/Internet Options/Security/Restricted Sites.

Add "about:blank" to the restricted list.

courtney sends....
 
Lloyd Wolf said:
Hello. Looking for a little help....

I have a customer running Internet Explorer v6, on a computer running
Windows 2000 Professional.

Internet Explorer has been hijacked by "About:Blank"

We have run the Ad-aware 6 and also Spybot Search & Destroy software.
Neither one seems to be able to get rid of "About:Blank" permanently.

Doing a Google search, I have seen lots of people having lots of problems
with this one.

Does anyone have a solid solution for getting rid of the "About:Blank"
hijacker ?

Thanks in advance.

Lloyd Wolf
Wolf Consulting, Inc.
 
Back
Top