3 recommendations |
About:Blank now homepage. Need to remove?Heres HowAbout:Blank is now you Homepage, its part of HomeOldSp, and you want it gone. Here's How to rid yourself of the monster forever. Curtsy of RaveDeNoir (Yahoo ID)
SO... You have gotten yourself stuck with About:Blank as your home page. It's part of a "Trojan" virus/mail-spy-ad-ware program. You've gone to 100s of forums and nothing has helped. Trust me I've been where you are. But through my combined research of those '100 forums plus' and my own handy work I have found your answer.
Where to begin?
No place is good to be honest... as easy as it will be, it's going to be a pain.
Step#0 - - Pre-Kill Measures Copy and paste this advice to a Text File and save! (But still read the whole thing before you do Anything!)
Step#1 - - Things to Download and Update Download all of these and get Updates for everything you can IE 6 AdAware 6 SpyBot (1.1 is best I find then update) SpySweeper HiJackThis KillBox (YOU need this program!) CWShredder (with at least one new entry after cwsearchx before the line)
Okay Now you have tools - - Hopefully!!!
Step#2 - - The problem Boils With all your updates and programs installed or unzipped, heres what to do. -Boot into Safe Mode. -Run AdAware 6 -Delete Everything it finds, Don't question any entry just delete them all. -Run AdAware 6 again, Yes Again, You might be surprised to find it will find more. In fact three times wouldn't hurt. Delete everything again. -Run SpySweeper -Delete Everything! -It might mess some programs up... BUT, to bad for you, you have, I feel, the nastiest trojan ever, and you want it gone, and don't want to reformat, SO DO IT! Just Delete all that it finds, and reinstall what you have to later, that is if anything. -Run SpyBot -Once again SELECT ALL and delete every Entry!
Step#3 - - Time to get Dirty! So you've done what any average person would do. But this has gone way past the average problem. You need to do some sniffing and use your brain. Each infection of this monster is different; While actually the same.
-First thing to Know! -C:\Windows(or whatever)\system32 ... This is where the file is doing its most harm! -Your file will look something like (Just an example - -hjlkimg.dll). So basically you won't know what to really look for. Best way to find it is... arrange your files by Date CREATED with Details menu; Not modified but Created. To get date created right click on the Details Bar and choose Date Created. -If you still can't find the "monster dll" don't worry. Because! Hopefully! AdAware got rid of it.
-Second thing to Know -In SpyBot under Tools you can See all your Browsers Pages and BHO's. These are the ones in the Registry. Don't Know what BHO's are don't worry (neither do I really). So skip worrying. This is really your solution to getting rid of this problem. TRUST ME!
-First Thing to do now that you know all this. -Run HiJackThis -Whatever it finds with the HomeOldsp name, or jkhlkj.dll (again an example of the evil file not the one you may have) , or about:blank, or the word search, or any thing with BHO in front of it... DELETE(fix)! That means delete all BHO files. -To make sure you deleted all the BHO files Run SpyBot and go to Tools and look under the BHO section, it should now be empty!
-Second Thing -Run CWShredder and let it do its thing then Exit.
Step#4 - - The Heart of the Beast! It's time to go DEEP! Time to enter the Windows Registry. [Press/Click] START [Press/Click] RUN When the Box Opens [Type] RegEdit [Press Enter]
The Registry is Open now. Click your way to the following location.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
-There you will find the "value" AppInit_Dlls -Right Click on this value and select Modify Binary Data -Here you will see a new "dll" (not the one you have deleted with everything else) embeded in the code, it will look something like dfsflkjis.dll or comaedas.dll, (whatever), point is ... "THAT IS A NEW dll" that's going to be loaded into the system32 folder (and start the whole mess over), now that the old ones been deleted. -This is the Heart Folks! -This is the one thing none of the programs were stopping. -But Yes we have our final trick/"Program" to play....
-Run KillBox (YOU need this program!) And follow these steps to a T. 1-Open KillBox 2-Type C:\Windows\system32\ into the bar. 3-After ...system32\ type the name of the DLL you found in the "AppInit_Dlls" data in the registry. 4-Click the "Action" button(Do NOT press 'delete/kill file') and choose "Delete on Reboot". 5-A second screen will pop up - - Click "File" then click "Add File", this will add the file imbedded in AppInit_Dlls. 6-After the name is loaded into the second screen. Press "Action" then press "Process and Reboot". Allow the computer to reboot.
Step#5 - - After Grabbing the heart. This is part 7- of KillBox -Go back to the registry and back to...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
...and DELETE the entire AppInit_Dlls value (and yes you should see that new dll in the value, but what's Great is... It didn't get loaded into the system!)
Step#6 - - THE END You are now clean!
Final words of advice, tighten your browsers security, run spy/ad checks regularly, get good anti virus software, and ad blockers "like google has", and a firewall is always great too.
Thanks to everyone for the hints they gave me along the way. This is for everyone that added to making this posting what it is today. I wish you all the best of luck -RaveDeNoir
Yahoo IMs to RaveDeNoir |
|
|
Didn't work for me! I tried all the steps here and my problem is that once i get to step 4 i cannot find any app init_dlls files? I found window directory under current version of Windows NT, but it contained zero files. And of course after rebooting in regular mode, guess what my IE is hijacked back to About blank!! For my entire history goto: » forums.maddoktor2.com/in ··· 17&t=370 |
|
NanDogThe Pup Was Female, I'M Not Premium Member join:2003-12-28 Bremerton, WA |
NanDog
Premium Member
2004-Apr-28 1:56 am
reed_pauls, here at BBR we have a pretty tried-and-true process to help with viruses/trojans/hijacks. Please read and follow the instructions here: » Security » I think my computer is infected or hijacked. What should I do?Although many of the steps were included in RaveDeNoir's post, please follow in order what's listed. If and when you post a HiJackThis log, this process gives the experts here the information they need to help you! |
|
|
to reed_pauls
There are no files my friend. the Files get loaded from memory. what KillBox (The program you need) does is dtop that memory from being loaded. So you need that "new dll name" it will create thats in the Registry file. then after reboot delete that Registry file. Thats why you Right Click and use Modify Binary Data. |
|
EGeezer Premium Member join:2002-08-04 Midwest 1 edit
1 recommendation |
EGeezer
Premium Member
2004-Apr-28 9:54 am
Re: About:Blank now homepage. Need to remove?HeresThanks for the tip! and... welcome to BBR! I think it's notable that your first posts are ones to help and address problems and not a request for assistance. |
|
|
to NanDog
Re: About:Blank now homepage. Need to remove?Heres HowThanks for pointing me to basics (i will defintely try a few new items there, even i' done most already), my link provided the Hijack logs but here it is fresh again: Thanks in advance.
Logfile of HijackThis v1.97.7 Scan saved at 7:31:21 PM, on 4/28/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe c:\cpqapps\Aclient\Aclient.exe C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\mobsync.exe C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 18 for hijackthis.zip\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\aumr7k49.slt\prefs.js) O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe" O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab |
|
|
to RaveDeNoir
If you are interested in seeing how the experts tackled this one. Look here: » www.wilderssecurity.com/ ··· tcount=4 |
|
|
to RaveDeNoir
Thanks, i'm entry level and i can hear the nike swish going over my head. I have kill box but no idea how to find the particular dll file.
Spywareblaster shows this in the tools section?
c:\windows\system32\blank.htm about:blank
c:\windows\system32\blank.htm http://ie.search.msn.com/{SUB RFC1766}/srchasst/srchcust.htm
is the RFC1766 the dll file? |
|
|
|
to RaveDeNoir
reed pauls point is when you go into the registry as you say and click "modify", there is nothing there as a value at all... it is blank... how can you run killbox and delete something that is not there? |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
keith2468
Premium Member
2004-Apr-30 12:36 pm
Looking at the link from LoPhat » www.wilderssecurity.com/ ··· tcount=4, it seems that this is an evolving threat that is still being modified by its creators. So, if you have something that doesn't fit with what is currently known, please send copies off to the anti-malware vendors using the "Submit Suspected Malware" link on the main BBR Security Forum page.Good post RaveDeNoir. People can consult and refer to it. Hopefully soon the anti-malware folks will have updated their tools to handle it in a less complicated manner. |
|
Zupe MVM join:2001-11-29 New York, NY 2 edits |
to RaveDeNoir
Just to clarify a bit: First, randomly deleting all BHO entries in Hijack This is not a very good idea. There's no need or real point to doing that, as the file causing it will be a randomly named file usually matching the one shown in the R1 entries and will be pretty easy to spot. Also, there's a more recent version of this hijack where the hidden DLL is not visible either in Process Viewer or the registry value itself, even when looking at the binary data. *Edit* Removed link, the one LoPhatPhuud posted has most of the information |
|
|
chachazz
Premium Member
2004-Apr-30 12:49 pm
Re: About:Blank now homepage. Need to remove?HeresZupe that link doesn't work for me. Anyone else? |
|
CajunTekInsane Cajun Premium Member join:2003-08-08 Arlington, TX |
to Zupe
Doesn't work for me either Zupe |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to RaveDeNoir
Re: About:Blank now homepage. Need to remove?Heres HowAnyone with a copy of any sort of about:blank virus or trojan or piece thereof should send it off using the "Submit Suspected Malware" link.
I was surfing the Sophos site, and so far they have only received one sample of one variant of it. |
|
|
to RaveDeNoir
|
|
dcobian join:2004-05-03 Redondo Beach, CA |
to RaveDeNoir
Hey Everyone!
I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again. Finally I found the proper way to get rid of this virus. The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:
http://www.resplendence.com/download/reglite.exe
Open reglite and paste this value in the address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Then double click: AppInit_DLLs
You should be able to see a file with this address:
C:\Windows\System32\"Hidden".dll
Clean your system with all the previous anti-virus programs.
Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file. Reboot your system and open reglite again, go back to the same key: AppInit_DLLs, Now delete the value.
That should do the trick |
|
|
samuel be
Anon
2004-May-4 10:29 am
try this: » www.nd.edu/~gweaver/DL/S ··· p347.exethis tool removes the "About:Blank" homepage (on my computer) greetz, Sam |
|
|
to RaveDeNoir
I just had this exact problem, and after reading your forum I installed CWShredder and ran it. It found a file named m.dll that was causing all my troubles. So I suggest if anyone else has this problem they should try CWShredder or search for m.dll and erase it. Thanks for the help guys(and gals)!!!!! |
|
dmelamed join:2004-05-17 San Francisco, CA |
to RaveDeNoir
Thanks much for this info! Your STEP#2 appears to have done the job for me after the 2nd running of AdAware. I suspect AdAware's latest updates and definitions successfully zeroed in on the registry keys. But the 2nd run was necessary! (subsequent runs of SpySweeper and SpyBot didn't find anything)
What a joy to open the browser without seeing that detestable about:blank and it's popup garbage! best wishes |
|
|
to RaveDeNoir
i'm having the same problem with "about:blank" taking over my default homepage and i've tried everything suggested on this page but i STILL can't get rid of it.
i arranged the DLL files in my C:\WINDOWS\system32 folder by date CREATED and i suspect that the "evil" file may be something called "mhaea.dll" since it was created on May 13 and that's when my problem started. I've tried to delete it but everytime i want to move it to the recycle bin it just says "file cannot be deleted - make sure it's not in use, etc etc"
I have Registrar Lite and in the AppInit_Dlls "value" there's something called C:\WINDOWS\System32\wdmnpch.dll and again I don't know what the heck that is but i suspect that's the "hidden" DLL that keeps the virus going. i've tried renaming it, deleting it etc. but nothing will work. everytime i close and open the AppInit_Dlls it's still there.
Any more suggestions? i've already scanned and cleaned my computer with Ad-Aware, Spybot, CWShredder, spysweeper, HijackThis, etc. but it's not working. when i launch IE after i've rebooted my PC my homepage is still "about:blank" so i know for sure nothing i've done has made a difference. |
|
|
Malware Hater to RaveDeNoir
Anon
2004-May-19 8:53 am
to RaveDeNoir
Rave DeNoir - Thank-You! Yours is the only solution on the web to get rid of this problem. I followed your instructions, and they work perfectly - many thanks! |
|
stu join:2000-11-03 Patchogue, NY |
to RaveDeNoir
Actally I want a blank home page. It loads faster if I am not connected or on the road. I have to ignore the warning.
Is there some way to not get the warning as I do not want the default of (I think) MS as the home?
Stu |
|
|
to RaveDeNoir
i've got rid of CWS already |
|
|
to RaveDeNoir
Thanks!!! Worked like a charm, even though there was no unusual DLL file in ApplInit_Dlls. |
|
|
joelavelle to pickle1
Anon
2004-May-21 4:17 pm
to pickle1
I was having this problem too. It turns out there was a value in Appinit_Dll, but it was not visible to the regedit user. I was able to see it and (and delete it) using Registrar Lite and following the instructions at » forums.spywareinfo.com/i ··· opic=942. I am free of about:blank for about a day and hope never to see the awful trojan again |
|
Zeke0123 join:2004-05-09 Redondo Beach, CA |
Anything new on this topic ?? for ME users and could someone post a link for Killbox ?? |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England |
John2g
Premium Member
2004-May-21 5:36 pm
said by Zeke0123: Anything new on this topic ?? for ME users and could someone post a link for Killbox ??
» download.broadbandmedic. ··· lBox.zip |
|
Zeke0123 join:2004-05-09 Redondo Beach, CA |
thanks but that link didnt work for me |
|
dolphinsClean Up Our Oceans Premium Member join:2001-08-22 Westville, NJ |
dolphins
Premium Member
2004-May-21 6:28 pm
broadbandmedic.com has been under DOS attack. I'll see if anyone else is hosting TheKillBox. |
|
SparrowCrystal Sky Premium Member join:2002-12-03 Sachakhand |
Sparrow
Premium Member
2004-May-21 6:33 pm
|
|