about:blank

I don't know whether this is (or could be) unique to my
computer but this "about:blank" takes over my homepage.
It is a page made to look like a search engine. Three
major antispyware programs (including Microsoft Beta 1)
cannot stop it.

It also takes over pages I visit, usually the most common
ones, and so is obviously tracking me well! This makes
internet use impossible. It's been reverting as my
homepage for months, but the taking over pages is new to
last few days. I can't get to the ones I need. Browser
Restore with Beta 1 has no effect over it, it always
reverts as homepage/default browser anyway.

Any ideas what it is/whether it can be dealt with? I am
aware that about:blank is unhelpful as an address, but I
don't know how else to identify it. Anybody else had this
one? Nothing seems to stop it, it also brings a whole
host of pop-ups, some of which can't be blocked by
multiple pop-up blockers either.

Hi Tom

about:Blank is a trojan from CWS (coolwebsearch)

There's afew variants but generally the one you have is
the hardest to kill,about:blank operates with hidden
files that makes cleaning this very difficult


your first steps

run ad-aware se and spybot s&d


SPYBOT S&D

http://ejrs.com/spybot/spybot.exe

Adaware SE

http://www.download.com/3000-2144-10045910.html?
part=69274&subj=dlpage&tag=button



The next program i think you should use is Hijack This :

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

this isnt going to be a easy fix,You will have to stop
the trojan then remove all traces of it.Email me if you
need any help or theres other's on the forum (Andre & Ron
bill & more) who will be glad to assist you if its
needed .


Download and unpack hijack this to its own folder (either
c/drive or desktop)Run Hijack This and choose to save a
logfile.This will open a text in notepad showing all the
running programs on your pc including BHO's Internet
Settings,Downloaded Program Files,Registry run commands
etc..


You can post the log results back if you want.

generally you are looking at the R0 / R1 + 04 entries
for any reference to

about:blank
se.dll
res://

Typical infection will look like this in hijack:



R1 -HKCU\Software\Microsoft\InternetExplorer\Main,
SearchBar=res://C:\WINDOWS\system32
\xaiyh.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\system32
\xaiyh.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\WINDOWS\system32
\xaiyh.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\system32
\xaiyh.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\User\LOCALS~1
\Temp\se.dll,DllInstall


The dll file shown in these lines (in this case its
called xaiyh.dll) is the second problematic file in the
about:blank hijack.

The key to the hijack is a hidden dll file that is
connected to a BHO (Browser Hijack Object). This hidden
dll file shows up in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\\AppInit_DLLs

Unfortunately removing this about:Blank hijacker can be
difficult. Its a very persistent problem that can return
quickly if it is not removed carefully.




Open My Computer and choose Tools, then click on Folder
Options, click on the View tab and under Advanced
Setting, choose Show Hidden Files and Folders, then click
on OK and close My Computer. In Windows XP/2000, you may
also want to uncheck the options for "Hide extensions for
known file types" and "hide protected operating system
files". This will allow you to easily find the dll files
to delete them.

Windows XP's search feature is a little different. When
searching and you click When on 'All files and folders'
on the left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.



Try these 2 about:blank removers first :


Download SpSeHjfix to desktop

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3236.0;id=288


Download aboutbuster to desktop

http://www.downloads.subratam.org/AboutBuster.zip


Download Ccleaner (To remove temp & unused files)

http://download.ccleaner.com/download119bin.asp



Boot into safe mode(tapping F8 on reboot)

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish
the cleaning process.
The tool creates a log of the fix which will appear in
the folder.



Run About Buster (It will reboot the pc and scan twice)

When its finished run Ccleaner to clean up

Run Hijack This and tick all the related entries and then
press fix checked Also when you reboot into normal mode
open a internet window goto tools on the top bar then
internet options,then to the programs tab and press Reset
Web Settings then run Hijack this again as the log in
safe mode will not show all entries and check if its
clean.



If not then heres some manual removal tips:





You need to check to see if any of the following three
Windows services are running:

Network Security Service

Workstation Netlogon Service

Remote Procedure Call (RPC) Helper

To do this, click Start, Run, and enter the following in
the Open box:

"services.msc" (without the quotes)

Then click OK. Now, in the Services window that pops up
look for exactly the following service names (no others)

"Network Security Service" or
"Workstation Netlogon Service" or
"Remote Procedure Call (RPC) Helper"

(NOTE: DO NOT DISABLE: Remote Procedure Call (RPC) or
Remote Procedure Call (RPC) Locator. They are both
required services and are unrelated to the hijacker.)

If you find these
services, you must right click on it to bring up the
service Properties window and do the following :

Stop the service by click the Stop button.

Now, disable it by changing the Startup type to
Disabled and click Apply


If you do not find these exact services, do not worry and
just skip this step. DO NOT DISABLE ANYTHING UNLESS THE
EXACT WORDING OF THE SERVICE NAMES IS MATCHED.





Download Ccleaner :

http://download.ccleaner.com/download119bin.asp



Next :

Download Hiving.bat

http://xsorbit26.com/users5/andymanchesta/index.php?
action=dlattach;topic=3238.0;id=291

Download to desktop


Double click Hiving.bat


This will create a file called windows.txt on the desktop
open that file to see the .dll

It will look something like this :

regf




Pugf hbin  ����nk, �ܻ���
����
�������� � x ���� 0 : T Z  Windows ���sk x x
�

?� �   �    
  !  ?
  !  ? 
   

    ? 

  

  


  


����vk : �


f�AppInit_DLLs֍�G����C : \ W I N D O W S
\ S y s t e m 3 2 \ c t l d . d l l  h
����vk  


�UDeviceNotSelectedTimeout����1 5  P� ����9 0  �
����vk  ?' 
zGDIProcessHandleQuota"�����vk  x


��Spooler2����y e s
�_� h
�
( X  ����vk  ?

5swapdisk����vk  


. TransmissionRetryTimeout����h
�
( X  � 
����vk  ?' 
2 USERProcessHandleQuotaS �


In this example above you can clearly see the filename



\ W I N D O W S \ S y s t e m 3 2 \ c t l d . d l l




so whats needed now is to kill that file (plus the file
in the hijack log under R0 or R1 and will typically be in
the windows system folder :


R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = res://C:\WINDOWS\system32
\xaiyh.dll/sp.html#29126


then fix all the about blank
entries in hijack)the best way to kill the above files is
by using killbox there's probably a temp file involved
aswell and this is where hijack this comes in handy, you
need to look for a file similar to this :

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\User\LOCALS~1
\Temp\se.dll,DllInstall

If you have problems with this post the log .If you do
find it carry
on with this :


Killbox

http://www.atribune.org/downloads/KillBox.exe


Once you know the filenames involved you can copy them
and paste them into killbox for deleting.with the files
shown above to delete them i would do the following

Copy these 3 lines:


C:\DOCUME~1\User\LOCALS~1\Temp\se.dll
C:\WINDOWS\System32\ctld.dll
C:\WINDOWS\system32\xaiyh.dll


Now run killbox and click file and from the dropdown list
choose paste from clipboard
This should enter all filenames into killbox

Next check the Delete on Reboot checkbox and the Use
Dummy checkbox directly below it.

Make sure all other windows are closed and any projects
you are working are saved, Then click the red circle with
the white x.

Reboot.


Run Ccleaner,reset web settings and check hijack this to
see if its killed



If you need help let me know hopefully the 2 removers
will remove this if its the about blank trojan,Checking
the hijack this log though would confirm what the problem
is


Regards Andy

AndyManchesta wrote:

Good post Andy, only this gave me a giggle...

> The key to the hijack is a hidden dll file that is
> connected to a BHO (Browser Hijack Object).

.... I think you'll find BHO stands for "Browser Helper Object". Your
version is entirely apt in this case, however. ;-)

--
Regards,
Steve Moss,
CoCo Systems Ltd.

Thanks very much for the advice Andy. I know very little
about how to deal with this kind of thing on a computer,
I'll try out your suggestions now.

The explanation was very much appreciated.

Regards,

Tom

I know what it stands for steve

It was just abit of wordplay as it doesnt help much


Thanks for pointing that out that i should of really put
the correct meaning


Regards AndyManchesta ;o)

No problem's Tom Hope it Helps,

If you have the about:blank trojan then it's a nasty one
but see how you get on and let me know if i can help more.
As steve said BHO is helper not Hiajck but i just thought
id throw that bit in i should of made it clearer it
wasnt the correct meaning,


All the best

AndyManc UK