About:blank Windows 98 Solution
vanagon40
Indiana Member
Running Windows 98, here were my symptoms
On a daily basis, my home page would change to about:blank; additionally, when I typed an incorrect URL in IE, the search assistant was redirected from my MSN default to another search page (and I got a pop-up telling me there was spyware on my computer)
I ran CWShredder, Spybot, Ad-Aware, and HiJack This. My home page would be OK, but the search assistant redirect was still there. This would last all day. The next day, as soon as I launched IE, the problem was right back.
I found there was a random dll being generated each day. It was located in C:\Windows\System. The easiest way to find this dll was to open the System folder and using the “Views” option in the toolbar, click “Details.” Then click “Modified” at the top of the listing so the most recent is at top. A randomly named dll was present each morning (e.g., ghifkoo.dll, booncaa.dll, cmmc.dll). CWShredder, Spybot, Ad-Aware, and/or HiJack This would wipe out that day’s dll, but a new one greeted me each morning.
The Problem:
Merijn’s CoolWebSearch Chronicles, http://www.spywareinfo.com/~merijn/cwschronicles.html, provided much insight. I believe I had the combination of Variant 38 (CWS.Searchx) and Variant 39 (CWS.Realyellowpage). CWShredder does not fix it, and HiJack This does not show it.
The Solution:
The key to eradicating this nightmare is to find the hidden reloader and wipe it out.
The key finding the hidden reloader is to use PrcView.
FIND THE HIDDEN RELOADER. Most of the information on the web relates to Windows XP, and points to the AppInit registry key for the solution. There is no AppInit registry key in Windows 98. To find the reloader, I used PrcView (a download is available here: http://www.spywareinfo.com/~merijn/files/pv.zip). I ran PrcView with an Explorer window open to find all operating dlls. (Must run Runme9x and choose option 1—Explorer dll’s). I started by eliminating all dlls that were not in C:\Windows\System. I then began checking the listed dlls that had no version no. or description. I would search my C drive for each dll and also did a Google search for each dll. All the dlls (except one), were found during a search of my C drive (and clicking “Properties” would usually provide information regarding the creator and version) and using a Google search. However, there was one dll that returned no matches on the Google search, and was not located on the search of my C drive. THIS WAS THE DEVIL. In my case, the name was resbb.dll. Merijn suggests that the offending dll will have a base code of 61c00000 and a size of 61440, but that was not the case for me.
REMOVE THE HIDDEN RELOADER. I first used Killbox (instructions are available at http://www.spywareinfo.com/~merijn/cwschronicles.html), but I do not think that worked. On reboot, the offending dll was still visible with PrcView. To finally wipe out this devil, I followed the instructions provided by Shadowwar here: http://www.wilderssecurity.com/showpost.php?p=164000&postcount=25
1. Reboot in safe mode (press F8 at reboot)
2. Select command prompt only.
3. Once I got to dos at c:\ prompt, I typed: cd windows
4. At the next prompt, I typed: cd system
5. At the C:\WINDOWS\SYSTEM\> prompt, I typed: del resbb.dll
6. Turned the power off, and then restarted.
On restart I got an Error message that resbb.dll could not be located. BEST ERROR MESSAGE I EVER GOT.
I ran the clean-up tools, but all showed AOK. System works fine now.
For anyone trying to tackle this problem with Windows 98, I strongly recommend reviewing the Merijn’s CoolWebSearch Chronicles and the entire thread at Wilders Security: Coolwebsearch keeps coming back and SpywareBlaster won't open: http://www.wilderssecurity.com/showthread.php?t=28622
I spent many hours trying to resolve this problem, that Merijn describes as:
Jim
On a daily basis, my home page would change to about:blank; additionally, when I typed an incorrect URL in IE, the search assistant was redirected from my MSN default to another search page (and I got a pop-up telling me there was spyware on my computer)
I ran CWShredder, Spybot, Ad-Aware, and HiJack This. My home page would be OK, but the search assistant redirect was still there. This would last all day. The next day, as soon as I launched IE, the problem was right back.
I found there was a random dll being generated each day. It was located in C:\Windows\System. The easiest way to find this dll was to open the System folder and using the “Views” option in the toolbar, click “Details.” Then click “Modified” at the top of the listing so the most recent is at top. A randomly named dll was present each morning (e.g., ghifkoo.dll, booncaa.dll, cmmc.dll). CWShredder, Spybot, Ad-Aware, and/or HiJack This would wipe out that day’s dll, but a new one greeted me each morning.
The Problem:
Merijn’s CoolWebSearch Chronicles, http://www.spywareinfo.com/~merijn/cwschronicles.html, provided much insight. I believe I had the combination of Variant 38 (CWS.Searchx) and Variant 39 (CWS.Realyellowpage). CWShredder does not fix it, and HiJack This does not show it.
The Solution:
The key to eradicating this nightmare is to find the hidden reloader and wipe it out.
The key finding the hidden reloader is to use PrcView.
FIND THE HIDDEN RELOADER. Most of the information on the web relates to Windows XP, and points to the AppInit registry key for the solution. There is no AppInit registry key in Windows 98. To find the reloader, I used PrcView (a download is available here: http://www.spywareinfo.com/~merijn/files/pv.zip). I ran PrcView with an Explorer window open to find all operating dlls. (Must run Runme9x and choose option 1—Explorer dll’s). I started by eliminating all dlls that were not in C:\Windows\System. I then began checking the listed dlls that had no version no. or description. I would search my C drive for each dll and also did a Google search for each dll. All the dlls (except one), were found during a search of my C drive (and clicking “Properties” would usually provide information regarding the creator and version) and using a Google search. However, there was one dll that returned no matches on the Google search, and was not located on the search of my C drive. THIS WAS THE DEVIL. In my case, the name was resbb.dll. Merijn suggests that the offending dll will have a base code of 61c00000 and a size of 61440, but that was not the case for me.
REMOVE THE HIDDEN RELOADER. I first used Killbox (instructions are available at http://www.spywareinfo.com/~merijn/cwschronicles.html), but I do not think that worked. On reboot, the offending dll was still visible with PrcView. To finally wipe out this devil, I followed the instructions provided by Shadowwar here: http://www.wilderssecurity.com/showpost.php?p=164000&postcount=25
1. Reboot in safe mode (press F8 at reboot)
2. Select command prompt only.
3. Once I got to dos at c:\ prompt, I typed: cd windows
4. At the next prompt, I typed: cd system
5. At the C:\WINDOWS\SYSTEM\> prompt, I typed: del resbb.dll
6. Turned the power off, and then restarted.
On restart I got an Error message that resbb.dll could not be located. BEST ERROR MESSAGE I EVER GOT.
I ran the clean-up tools, but all showed AOK. System works fine now.
For anyone trying to tackle this problem with Windows 98, I strongly recommend reviewing the Merijn’s CoolWebSearch Chronicles and the entire thread at Wilders Security: Coolwebsearch keeps coming back and SpywareBlaster won't open: http://www.wilderssecurity.com/showthread.php?t=28622
I spent many hours trying to resolve this problem, that Merijn describes as:
A special thanks to Merijn, Shadowwar and dvk01 at Wilders Security, and Dexter, Mr. Kwitko, and all the others here at Short-Media who provided me guidance.Cleverness: Where's my infinity character button?
Manual removal difficulty: Battle axe or chainsaw recommended
Jim
0
This discussion has been closed.
Comments
thanks for the detailed fix info! Especially for the links to download the necessary tools. Hopefully this will make it easy to help anyone else with this persistent nuisance.
Dexter...
J.B. McCarty
Thanks a million and spread the gospel
Steve
I'm running Windows ME and made a few changes -- it worked!! (I still hold my breath everytime I launch IE -- when will the shock wear off.)
For Windows ME:
1. I ran PrcView using runme9x -- runme wouldn't.
2. Because in ME you don't have to option select command prompt only to boot into DOS using safe mode, I used a boot disk created in NAV.
My "devil" was named CTLOLK.DLL.
Thanks again.
Andrea
Mine was called - cafgk.dll
I also have kbdpdm.dll which I think might be one of the random files?
Cheers guys
Oh - it was win 98 SE, with IE 5.5 if thats any use to anyone
What does your screen say exactly? maybe it is going into a default folder of some kind. Any more details would be helpful.
~dodo
PV Menu by Shadowwar
1. Explorer's DLL's
2. Internet Explorer DLL's
3. rundll 32 dll's
4. registry menu
5. process view readme
6. process view html readme
7. shaowwar's readme
E. Exit
[1,2,3,4,5,6,7,E]?
when i put in a 1 it says "bad command or file name" and opens a notebook
when i put in a 2 it says "bad command or file name" "starting an internet explorer"
It then opens a notebook and an ie page
(even when I disconnect the cable modem the about blank page still loads)
Thanks
Jimmy
Runme9x for windows 98.
Runme for windows XP.
Not sure about 2000 (ME)?
Any help would be greatly appreciated.
Please post Hijack This log in your own thread and someone will try to assist you.
Dexter...
i am very new to the internet so maybe someone could advise me and forgive my ignorance
Well, this can happen if you get a web page with flash\shockwave content and use it as your home page, if there is a delay in the loading of that page or it takes the computer a while to load either its flash 7 plugin or the file the website sends in flash or shockwave content form for the plugin to play.
It is also possible to get TWO home page entries in registry under certain strange circumstances, but the one that is ruling in this case is your British Telecomm link, so I would leave exactly what you describe alone unless you get major problems. I have had this happen when a web site server is busy also, a temporary about:_blank appears then the page fills in when stuff from a web server gets sent. I have also seen this happen when a web server is serving flash objects for ads, and when the ad server actually giving the ad out is busy....
Macromedia has released Flash\Shockwave version 7, so the flash7 could be a plugin load request that appears for a second....
I would say, this set of circumstances quoted looks like it is not really badly broken and could be server related or linkage to another legitimate server related without being a hijack, so leave be for now.
BUT a browser that opens to About:_blank and STAYS there or then goes to something way out of hand ("out of the ordinary bad, like a casino site, or porn stuff, or a searcher that has nothing good on it or redirects you to junk sites by itself") with a blank page is something I would fix right away unless you set browser to do this. Exception to that, is ads that stay there or "appear when you close Internent Explorer," then you have something causing that and I would say to run Adaware 6.0 (with latest definition updates, mine has ad defs for July 2, 2004 or later for def files, now) and possibly SpyBot S&D also, just as a precaution.
If you want help to do that, please open a thread of your own about this particular issue, so we do not have folks misunderstanding who the reply is to or how it relates to them. What we have been trying to do, is handle one user's problems per thread. Then we have a single user being helped in each thread. If we get multiple users with multiple problems in one thread, then we get folks confused as to what to do THEMSELVES. Fixing with heavy-duty removal tools will result in the registry for Windows being changed, changing it wrong can break things big-time, so we need to have one thread per user, OK????
Several new members have posted they are having problems with PRCViewer.
First, PRCViewer does not fix any problems, or remove any trojans or spyware. PRCViewer is a diagnostic tool that reveals running processes. At the time of my original post, it was the ONLY tool that would reveal the hidden reloader for the CWS about:blank variant.
At the time of my original post, several forums, including this one, provided a fix for the about:blank hijacker for Windows XP. The fix involved editing the registry. The fix was probably more straight forward than the solution I proposed. I posted my solution because there was VERY little information on the Internet regarding a fix for Windows 98.
As my solution is now over two months old (and because I have not had the problem again), I am uncertain that my solution is the best "fix" to resolve a CWS hijacker for the following reasons:
There may be better "tools" than PRCViewer currently available.
My fix may not work for new about:blank variants.
My fix was never intended to provide a solution for any OS other than Windows 98.
Therefore, I would propose the following:
If my solution is not working for you and you want detailed assistance in resolving your problem, post an HJT log in a new thread in this forum. Explain why you believe you have the CWS varant described in this thread, and how my proposed solution has failed.
If you are unsure whether you have the CWS varant described in this thread, post an HJT log in a new thread in this forum. Explain your symptoms in detail, as well all steps you have taken to resolve the problam.
If you are running Windws 98 and want to solve thiis problem without additional assistance from this forum, AND you cannot find a copy of PRCViewer, send me an e-mail at the following address and I will forward you a copy of my PRCviewer. vanagon40 (not 45) at gmail dot com.
Hope this helps.
This does not make sense to me. Those two statements seem to contradict each other. How can you find all dll files on your C drive except one. What does seem to make sense, that of all the dll files found on the C drive, one does not yield a positive result in a google search. Is this what you meant to say?
I have just gone through over 50 dll files in google, and the ALL yielded a positive result. What am I doing wrong?
How can there be one dll that shows up as a result of PRCView (which, if I understand this correctly, are after all files that are on the computer), but not on the C drive? I do not understand this. Woulds you please explain this to me.
Yes, he meant that by googling, he could find legitimate definitions for all dlls except for one, which lead hm to believe that was the source of his problem.
If you read carefully, you see that he:
- first used Killbox
- didn't think it worked
- checked PrcView
- found that the DLL was still there, so obviously Killbox didn't work
- manually delete the dll with a command line delete
- rebooted
- got an erroe message saying that the dll could not be found, which means he broke the reloader cycle, which then makes it possible to remove the RUN entry.
Dexter...
No, I meant EXACTLY what I said. The PRCViewer revealed that there was a dll named "resbb.dll" on my computer. But, when I ran the windows search program, it did not show up. When I looked in the C:\WINDOWS\SYSTEM\ folder [Windows 98], I could not see the file, even with hidden files revealed. Thus, the HIDDEN reloader. This is why PRCViewer was so important in finding the dll. At the time I posted, PRCViewer was the ONLY process viewer that would reveal the reloader.
Does the above now make sense?
Maybe you do not have any reloader, much less a hidden reloader? We are not seeing this exact variant of CWS much anymore. Either it is no longer being used much by CWS, or there is enough information on the web about killing it that people no longer are requesting assistance in removing it.
Are you getting a new randomly named dll each day after attempting to remove CWS the previous day? If you would like assistance, feel free to post a HJT log in a new thread.
Tried all of the suggestions , but not any good results.
Went to the web site MajorGeeks.com and found this program called
aboutbuster, after backing up my computer and registry I followed the directions
for install, update and scan. So far after a week all is well and no further infection of this pain in the lower back. Check it out and let me know if it works
fo all.
It works for some, and not for others. Worth a try though.
Dexter...
Thanks
Follow the directions with the program, make sure to backup your registry, then
allow the program to update, run the scan 2 times as directed.
Good luck.http://www.short-media.com/forum/newreply.php?do=newreply&noquote=1&p=171959#
Head + Wall