Adware - about:blank Homepage
HalOfBorg
West Virginia
One of our work PCs has started changing it's homepage to "about:blank" which is some add page.
I put it back to msn, but about an hour later it's back to about:blank.
Also, two shortcuts appear on the desktop. One is for an online pharmacy (so it claims, i'll not try it), and the other SAYS it's a shortcut to a folder, but it opens Internet Explorer (which I close ASAP). I delete the shortcuts but they come back as well.
ALSO - it puts a shortcut to "VIP Porn" or somecrap like that in My Favorites.
ALSO ALSO....... All of my shortcuts to IEXPLORER all have "%HOMEDRIVE%%HOMEPATH%" as the "Start In" line. No idea if they had that before, but the ones I make do not. I know then have the standard "C:\Program Files\Internet Explorer". I deleted those and made new ones, for what it may be worth...
I've run Adaware and Spybot S&D (both fully updated) repeatedly. They both found and removed things, mostly registry entries. These also seem to come back - though there are less now.
Running Windows2000
Ideas??? :loco:
(the page should NOT have that underscore in it...no idea why it's there)
I put it back to msn, but about an hour later it's back to about:blank.
Also, two shortcuts appear on the desktop. One is for an online pharmacy (so it claims, i'll not try it), and the other SAYS it's a shortcut to a folder, but it opens Internet Explorer (which I close ASAP). I delete the shortcuts but they come back as well.
ALSO - it puts a shortcut to "VIP Porn" or somecrap like that in My Favorites.
ALSO ALSO....... All of my shortcuts to IEXPLORER all have "%HOMEDRIVE%%HOMEPATH%" as the "Start In" line. No idea if they had that before, but the ones I make do not. I know then have the standard "C:\Program Files\Internet Explorer". I deleted those and made new ones, for what it may be worth...
I've run Adaware and Spybot S&D (both fully updated) repeatedly. They both found and removed things, mostly registry entries. These also seem to come back - though there are less now.
Running Windows2000
Ideas??? :loco:
(the page should NOT have that underscore in it...no idea why it's there)
0
Comments
read that, it links to all the tools you need.
Also, Adaware and Spybot do about 90% of the job. The last 10% is manually phishing out stuff.
Check your registry startup keys by clicking on START -> RUN -> type MSconfig
Then click on the "startup" tab and disable anything fishy. Most of the time it should be completely clean except for Norton dependent apps (ie - ccApp, ccRegVfy), if applicable, or work-related stuff. Besides, you can always re-enable it if it's something of importance.
Don't muck in the registry unless you have a backup.
Also have AVG antiVirus (Free ver).
All of 'em found something. Adaware, Spybot, CW, HJ, even Norton's found a virus.
No msconfig - it's Win2K, but thanks anyway, it's better now --- until the night crew gets here again! :fu:
aha yea you're right about msconfig. I thought I tried it out one day in win2k and it was there. Must have been the XP box at work. oh well.
2) install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
3) Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
4) You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
5) Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
6) Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
7) Rename the windows folder back to its original name "Windows".
8) Run SpyBot, Ad-Aware and CWShredder
9) Check the following three links for instructions on downloading and running the applications listed:
o How to use Spybot to remove Spyware
o How to use Ad-Aware to remove Spyware
o How to Remove CoolWebSearch with CoolWeb Shredder
10) Next step will be to remove this dll file so make sure you have it noted down.
11) Step 1
12) Download KillBox
13) Unzip and start the application
14) Paste in the dir <path and name of dll as found in the appinit value box> i.e C:\Windows\System32\nameofdll.dll
15) Menu Select Action -> Delete on Reboot
16) Select File -> Add file <It should add the path automatically>
17) <Same Window> Select Action -> Process and Reboot
18) If Step 1 didn't work
19) Step 2
20) Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
21) This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
22) Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
23) Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
24) Carry out Step 1 again
25) Restart your computer in safemode
26) Open cmd window again as before
27) Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
28) While in safe mode (How do I boot into "Safe" mode?), run the 3 ad-removal programs again, just to make sure all traces are gone.
29) Boot up pc as normal and you should be trouble free.
Try this fix if the other one above doesnt work !
This is a fast way to stop the About:Blank trojan redirector !!
1. Go to your desktop and click "Start" then "Run"> type in regedit in the address
bar. and hit OK.\
2. Once in the registry go up to the first folder (HKEY_CLASSES_ROOT) and click on
the (+) sign to access the folders. Find the folder BHO.HelperObject click on
the (+) sign to view the sub folders inside. Look for a folder called: CurVer
then Right Click on the CurVer folder and choose "Permissions" from the list.
3. Highlight the Administrator or the first group user in the list at the top of
the permissions group list. Now go to the bottom area and check the boxes for
"Deny" for Full Control and Read categories
4. If there is a second Group user after the Adminstrator then highlight it and
repeat the same steps as above to "Deny" Full Control and Read privileges for
it also.
5. Click "Apply" and "OK" and close out of the registry area
6. This should stop the About:Blank trojan from setting up .dll files in your
System32 files
7. Download and Run Spysweeper and Download Spywareblaster to prevent
future spyware infections.
I just have removed that stupid about:blank bug (don't know where I got it from). The information provided here was in part quite helpful.
However, there are two "something.dll" files in c:/windows/system32 with apparently randomly generated names. Spybot and also AVG could not find them.
The first one can be found as described above using reglite.
I have found the second one using a tool called Process Explorer. In principle, it should allow to identify both *.dlls.
download: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
As I understood it (don't know much about it), that piece allows you to find dlls wich have been used recently by a certain program:
1). Start this program, then start Internet Explorer. Mark "Internet Explorer" in the upper window of Process Explorer.
2.) Click on the fourth symbol from the left in the shortcut list, to view dll's.
3.) Search for dll's which are not from Microsoft or have a strange name.. hm, they all have. But you will find ..(When opening with an Editor, you will find some html inside, corresponding in the middle to the code of that ****** about:blank page).
4.) I have renamed those files to TROJAN1.html and TROJAN2.html
5.) Then I tried to delete them using Killbox, like described above. Worked after some rebooting and so on.
6.) Go to START > RUN , type regedit and be CAREFUL now.
7.) Use EDIT > SEARCH, type about:blank and DELETE (left mouse, DELETE) all entrys containing that value (use SEARCH AGAIN, until finished).
Possibly you are finished now. It took me about 6 hours, but I don't know much about that stuff.
PS: Could not use the second method stated above, because I could not find the folder BHO.HelperObject.