dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2692
RaveDeNoir
join:2004-04-27
Ames, IA

3 recommendations

RaveDeNoir

Member

About:Blank now homepage. Need to remove?Heres How

About:Blank is now you Homepage, it’s part of HomeOldSp, and you want it gone. Here's How to rid yourself of the monster forever.
Curtsy of RaveDeNoir (Yahoo ID)

SO... You have gotten yourself stuck with About:Blank as your home page. It's part of a "Trojan" virus/mail-spy-ad-ware program. You've gone to 100s of forums and nothing has helped. Trust me I've been where you are. But through my combined research of those '100 forums plus' and my own handy work I have found your answer.

Where to begin?

No place is good to be honest... as easy as it will be, it's going to be a pain.

Step#0 - - Pre-Kill Measures
Copy and paste this advice to a Text File and save! (But still
read the whole thing before you do Anything!)

Step#1 - - Things to Download and Update
Download all of these and get Updates for everything you can
IE 6
AdAware 6
SpyBot (1.1 is best I find then update)
SpySweeper
HiJackThis
KillBox (YOU need this program!)
CWShredder (with at least one new entry after cwsearchx before the line)

Okay Now you have tools - - Hopefully!!!

Step#2 - - The problem Boils
With all your updates and programs installed or unzipped, heres what to do.
-Boot into Safe Mode.
-Run AdAware 6
-Delete Everything it finds, Don't question any entry just delete them all.
-Run AdAware 6 again, Yes Again, You might be surprised to find it
will find more. In fact three times wouldn't hurt. Delete everything again.
-Run SpySweeper
-Delete Everything!
-It might mess some programs up... BUT, to bad for you, you have, I
feel, the nastiest trojan ever, and you want it gone, and don't want to
reformat, SO DO IT! Just Delete all that it finds, and reinstall what you
have to later, that is if anything.
-Run SpyBot
-Once again SELECT ALL and delete every Entry!

Step#3 - - Time to get Dirty!
So you've done what any average person would do. But this has gone way past the average problem. You need to do some sniffing and use your brain. Each infection of this monster is different; While actually the same.

-First thing to Know!
-C:\Windows(or whatever)\system32 ... This is where the file is doing
its most harm!
-Your file will look something like (Just an example - -hjlkimg.dll). So
basically you won't know what to really look for. Best way to find it
is... arrange your files by Date CREATED with Details menu; Not
modified but Created. To get date created right click on the Details
Bar and choose Date Created.
-If you still can't find the "monster dll" don't worry. Because! Hopefully! AdAware got
rid of it.

-Second thing to Know
-In SpyBot under Tools you can See all your Browsers Pages and BHO's.
These are the ones in the Registry. Don't Know what BHO's are don't
worry (neither do I really). So skip worrying. This is really your
solution to getting rid of this problem. TRUST ME!

-First Thing to do now that you know all this.
-Run HiJackThis
-Whatever it finds with the HomeOldsp name, or jkhlkj.dll (again
an example of the evil file not the one you may have) , or
about:blank, or the word search, or any thing with BHO in front
of it... DELETE(fix)! That means delete all BHO files.
-To make sure you deleted all the BHO files Run SpyBot and go to
Tools and look under the BHO section, it should now be empty!

-Second Thing
-Run CWShredder and let it do its thing then Exit.

Step#4 - - The Heart of the Beast!
It's time to go DEEP! Time to enter the Windows Registry.
[Press/Click] START
[Press/Click] RUN
When the Box Opens
[Type] RegEdit [Press Enter]

The Registry is Open now.
Click your way to the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

-There you will find the "value" AppInit_Dlls
-Right Click on this value and select Modify Binary Data
-Here you will see a new "dll" (not the one you have deleted with everything else) embeded in the code, it will look something like dfsflkjis.dll or comaedas.dll, (whatever), point is ... "THAT IS A NEW dll" that's going to be loaded into the system32 folder (and start the whole mess over), now that the old ones been deleted.
-This is the Heart Folks!
-This is the one thing none of the programs were stopping.
-But Yes we have our final trick/"Program" to play....

-Run KillBox (YOU need this program!) And follow these steps to a T.
1-Open KillBox
2-Type C:\Windows\system32\ into the bar.
3-After ...system32\ type the name of the DLL you found in the
"AppInit_Dlls" data in the registry.
4-Click the "Action" button(Do NOT press 'delete/kill file') and
choose "Delete on Reboot".
5-A second screen will pop up - - Click "File" then click "Add File", this
will add the file imbedded in AppInit_Dlls.
6-After the name is loaded into the second screen. Press "Action" then
press "Process and Reboot". Allow the computer to reboot.

Step#5 - - After Grabbing the heart.
This is part 7- of KillBox
-Go back to the registry and back to...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

...and DELETE the entire AppInit_Dlls value (and yes you should see that new dll in the value, but what's Great is... It didn't get loaded into the system!)

Step#6 - - THE END
You are now clean!

Final words of advice, tighten your browsers security, run spy/ad checks regularly, get good anti virus software, and ad blockers "like google has", and a firewall is always great too.

Thanks to everyone for the hints they gave me along the way.
This is for everyone that added to making this posting what it is today.
I wish you all the best of luck
-RaveDeNoir

Yahoo IMs to RaveDeNoir
reed_pauls
join:2004-04-28
Irving, TX

reed_pauls

Member

Didn't work for me! I tried all the steps here and my problem is that once i get to step 4 i cannot find any app init_dlls files? I found window directory under current version of Windows NT, but it contained zero files. And of course after rebooting in regular mode, guess what my IE is hijacked back to About blank!!

For my entire history goto:

»forums.maddoktor2.com/in ··· 17&t=370

NanDog
The Pup Was Female, I'M Not
Premium Member
join:2003-12-28
Bremerton, WA

NanDog

Premium Member

reed_pauls, here at BBR we have a pretty tried-and-true process to help with viruses/trojans/hijacks. Please read and follow the instructions here:

»Security »I think my computer is infected or hijacked. What should I do?

Although many of the steps were included in RaveDeNoir's post, please follow in order what's listed. If and when you post a HiJackThis log, this process gives the experts here the information they need to help you!
RaveDeNoir
join:2004-04-27
Ames, IA

RaveDeNoir to reed_pauls

Member

to reed_pauls
There are no files my friend. the Files get loaded from memory. what KillBox (The program you need) does is dtop that memory from being loaded. So you need that "new dll name" it will create thats in the Registry file. then after reboot delete that Registry file. Thats why you Right Click and use Modify Binary Data.

EGeezer
Premium Member
join:2002-08-04
Midwest

1 edit

1 recommendation

EGeezer

Premium Member

Re: About:Blank now homepage. Need to remove?Heres

Thanks for the tip! and... welcome to BBR! I think it's notable that your first posts are ones to help and address problems and not a request for assistance.
reed_pauls
join:2004-04-28
Irving, TX

reed_pauls to NanDog

Member

to NanDog

Re: About:Blank now homepage. Need to remove?Heres How

Thanks for pointing me to basics (i will defintely try a few new items there, even i' done most already), my link provided the Hijack logs but here it is fresh again:
Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 7:31:21 PM, on 4/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
c:\cpqapps\Aclient\Aclient.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mobsync.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 18 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aumr7k49.slt\prefs.js)
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

LoPhatPhuud
MVM
join:2002-01-06
Albuquerque, NM

LoPhatPhuud to RaveDeNoir

MVM

to RaveDeNoir
If you are interested in seeing how the experts tackled this one. Look here:

»www.wilderssecurity.com/ ··· tcount=4
reed_pauls
join:2004-04-28
Irving, TX

reed_pauls to RaveDeNoir

Member

to RaveDeNoir
Thanks, i'm entry level and i can hear the nike swish going over my head. I have kill box but no idea how to find the particular dll file.

Spywareblaster shows this in the tools section?

c:\windows\system32\blank.htm
about:blank

c:\windows\system32\blank.htm
http://ie.search.msn.com/{SUB RFC1766}/srchasst/srchcust.htm

is the RFC1766 the dll file?

pickle1
@wlmgti01.ga.comcast.

pickle1 to RaveDeNoir

Anon

to RaveDeNoir
reed pauls point is when you go into the registry as you say and click "modify", there is nothing there as a value at all... it is blank... how can you run killbox and delete something that is not there?

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468

Premium Member

Looking at the link from LoPhat »www.wilderssecurity.com/ ··· tcount=4, it seems that this is an evolving threat that is still being modified by its creators.

So, if you have something that doesn't fit with what is currently known, please send copies off to the anti-malware vendors using the "Submit Suspected Malware" link on the main BBR Security Forum page.

Good post RaveDeNoir. People can consult and refer to it. Hopefully soon the anti-malware folks will have updated their tools to handle it in a less complicated manner.

Zupe
MVM
join:2001-11-29
New York, NY

2 edits

Zupe to RaveDeNoir

MVM

to RaveDeNoir
Just to clarify a bit:

First, randomly deleting all BHO entries in Hijack This is not a very good idea. There's no need or real point to doing that, as the file causing it will be a randomly named file usually matching the one shown in the R1 entries and will be pretty easy to spot.

Also, there's a more recent version of this hijack where the hidden DLL is not visible either in Process Viewer or the registry value itself, even when looking at the binary data.

*Edit*
Removed link, the one LoPhatPhuud See Profile posted has most of the information

chachazz
Premium Member
join:2003-12-14

chachazz

Premium Member

Re: About:Blank now homepage. Need to remove?Heres

Zupe that link doesn't work for me. Anyone else?

CajunTek
Insane Cajun
Premium Member
join:2003-08-08
Arlington, TX

CajunTek to Zupe

Premium Member

to Zupe
Doesn't work for me either Zupe

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to RaveDeNoir

Premium Member

to RaveDeNoir

Re: About:Blank now homepage. Need to remove?Heres How

Anyone with a copy of any sort of about:blank virus or trojan or piece thereof should send it off using the "Submit Suspected Malware" link.

I was surfing the Sophos site, and so far they have only received one sample of one variant of it.

CWShredder
@elisa-laajakaista.fi

CWShredder to RaveDeNoir

Anon

to RaveDeNoir
»about:blank is taking over

Fix available for About:blank hijack
»www.spywareinfo.com/foru ··· ic=43970

SOLUTION: about:blank, searchpage keeps returning
»www.spywareinfo.com/foru ··· ic=43492
dcobian
join:2004-05-03
Redondo Beach, CA

dcobian to RaveDeNoir

Member

to RaveDeNoir
Hey Everyone!

I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again.
Finally I found the proper way to get rid of this virus.
The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:

http://www.resplendence.com/download/reglite.exe

Open reglite and paste this value in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Then double click:
AppInit_DLLs

You should be able to see a file with this address:

C:\Windows\System32\"Hidden".dll

Clean your system with all the previous anti-virus programs.

Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
Reboot your system and open reglite again, go back to the same key:
AppInit_DLLs,
Now delete the value.

That should do the trick

samuel be
@kabel.telenet.be

samuel be

Anon

try this:

»www.nd.edu/~gweaver/DL/S ··· p347.exe

this tool removes the "About:Blank" homepage (on my computer)

greetz,

Sam

slimpauly
@cgocable.net

slimpauly to RaveDeNoir

Anon

to RaveDeNoir
I just had this exact problem, and after reading your forum I installed CWShredder and ran it. It found a file named m.dll that was causing all my troubles. So I suggest if anyone else has this problem they should try CWShredder or search for m.dll and erase it. Thanks for the help guys(and gals)!!!!!
dmelamed
join:2004-05-17
San Francisco, CA

dmelamed to RaveDeNoir

Member

to RaveDeNoir
Thanks much for this info!
Your STEP#2 appears to have done the job for me after the 2nd running of AdAware. I suspect AdAware's latest updates and definitions successfully zeroed in on the registry keys. But the 2nd run was necessary! (subsequent runs of SpySweeper and SpyBot didn't find anything)

What a joy to open the browser without seeing that detestable about:blank and it's popup garbage!
best wishes

lpsoldier
@aol.com

lpsoldier to RaveDeNoir

Anon

to RaveDeNoir
i'm having the same problem with "about:blank" taking over my default homepage and i've tried everything suggested on this page but i STILL can't get rid of it.

i arranged the DLL files in my C:\WINDOWS\system32 folder by date CREATED and i suspect that the "evil" file may be something called "mhaea.dll" since it was created on May 13 and that's when my problem started. I've tried to delete it but everytime i want to move it to the recycle bin it just says "file cannot be deleted - make sure it's not in use, etc etc"

I have Registrar Lite and in the AppInit_Dlls "value" there's something called C:\WINDOWS\System32\wdmnpch.dll and again I don't know what the heck that is but i suspect that's the "hidden" DLL that keeps the virus going. i've tried renaming it, deleting it etc. but nothing will work. everytime i close and open the AppInit_Dlls it's still there.

Any more suggestions? i've already scanned and cleaned my computer with Ad-Aware, Spybot, CWShredder, spysweeper, HijackThis, etc. but it's not working. when i launch IE after i've rebooted my PC my homepage is still "about:blank" so i know for sure nothing i've done has made a difference.

Malware Hater
@ftech.co.uk

Malware Hater to RaveDeNoir

Anon

to RaveDeNoir
Rave DeNoir - Thank-You! Yours is the only solution on the web to get rid of this problem. I followed your instructions, and they work perfectly - many thanks!
stu
join:2000-11-03
Patchogue, NY

stu to RaveDeNoir

Member

to RaveDeNoir
Actally I want a blank home page. It loads faster if I am not connected or on the road. I have to ignore the warning.

Is there some way to not get the warning as I do not want the default of (I think) MS as the home?

Stu

lpsoldier
@aol.com

lpsoldier to RaveDeNoir

Anon

to RaveDeNoir
i've got rid of CWS already
paltz14
join:2001-08-30
Tucson, AZ

paltz14 to RaveDeNoir

Member

to RaveDeNoir
Thanks!!! Worked like a charm, even though there was no unusual DLL file in ApplInit_Dlls.

joelavelle
@cox.net

joelavelle to pickle1

Anon

to pickle1
I was having this problem too. It turns out there was a value in Appinit_Dll, but it was not visible to the regedit user. I was able to see it and (and delete it) using Registrar Lite and following the instructions at »forums.spywareinfo.com/i ··· opic=942.

I am free of about:blank for about a day and hope never to see the awful trojan again
Zeke0123
join:2004-05-09
Redondo Beach, CA

Zeke0123

Member

Anything new on this topic ?? for ME users and could someone post a link for Killbox ??

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

said by Zeke0123:
Anything new on this topic ?? for ME users and could someone post a link for Killbox ??

»download.broadbandmedic. ··· lBox.zip
Zeke0123
join:2004-05-09
Redondo Beach, CA

Zeke0123

Member

thanks but that link didnt work for me

dolphins
Clean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ

dolphins

Premium Member

broadbandmedic.com has been under DOS attack. I'll see if anyone else is hosting TheKillBox.

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

Sparrow

Premium Member

KillBox.zip
47,503 bytes
»download.broadbandmedic. ··· cgi?id=0

This should do it.