Hijacked - about blank!!!!!!! HELP NEEDED URGENTLY!!!!

[sammy]

My homepage has been "seriously" hijacked and I can't do anything to stop
"about blank" being the start page.

It kept changing to these unknown sites and after a lot of scanning both
with the virus scanner / adaware /spybot, I was able to delete loads of the
rubbish. However, it now reverts to "about blank" with adverts on the page.
I have tried to use the vbs file from Kelly's site, which unlocks the
Homepage and allows me to set my homepage but within seconds "about blank"
comes to be the start page again. I unlock, set my startpage and then lock
it but no success. I have tried using nohomepage set from Dougx but also no
success.
I have now installed startpage guard and every 2 minutes or so, I get a
message the homepage is being changed - to which I have to click revert to
old -.

Any advise on how to spot the evil file causing this problem will be
appreciated.

Virus scanner, Adaware, Spybot search & destroy are all reporting nothing
strange. They are all updated!!!!!

Pleeaaaaaaaaaaaaaaaseeee.

 

[Guest]

My homepage has been "seriously" hijacked and I can't do anything to stop
"about blank" being the start page.

It kept changing to these unknown sites and after a lot of scanning both
with the virus scanner / adaware /spybot, I was able to delete loads of the
rubbish. However, it now reverts to "about blank" with adverts on the page.
I have tried to use the vbs file from Kelly's site, which unlocks the
Homepage and allows me to set my homepage but within seconds "about blank"
comes to be the start page again. I unlock, set my startpage and then lock
it but no success. I have tried using nohomepage set from Dougx but also no
success.
I have now installed startpage guard and every 2 minutes or so, I get a
message the homepage is being changed - to which I have to click revert to
old -.

Any advise on how to spot the evil file causing this problem will be
appreciated.

Virus scanner, Adaware, Spybot search & destroy are all reporting nothing
strange. They are all updated!!!!!

Pleeaaaaaaaaaaaaaaaseeee.

Does startpage guard show you a location and name of the .dll that is
changing your homepage?

 

[Jan Il]

Hi sammy

What you have is a nasty hijacker, and none of the programs including your
AV are programmed to detect or remove this kind of scumware.

Here is what you need to do. Even if you have already run some programs,
run them again according to the instructions in the information below to
thoroughly clean you system. Some variants of malware can replicate itself
and return repeatedly if not cleaned properly. It is best to read through
all the information before you start to know before hand what you need to do
and how. Follow all instructions to letter as much as possible. Read all
instructions through to make sure you understand them and have all the
programs downloaded and installed before starting.

WARNING>>>> Backup all documents and files before removing any spyware!!

First, Go to Start>Run and type CMD
In the command window type
netsh winsock reset

Run all the programs below in Safe Mode with Hidden Files enabled:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm

Most importantly, be sure to run CWShredder here
http://www.majorgeeks.com/download3019.html
and this program, which searches for hidden .dlls that recreate the malware.
About Buster:
http://www.majorgeeks.com/download4289.html
Then visit these two sites to test for parasites and help basic cleaning:
On-Line Check
http://aumha.org/a/noads.htm
and
Quick-Fix Protocol.
http://aumha.org/a/quickfix.php
Basically, throw everything here at your "infection".

Also download and install HiJackThis -

How to download and install HiJackThis:
http://www.bleepingcomputer.com/forums/topict309.html

Please DO NOT post your log to this newsgroup. It is important that you go
to one of the HiJackThis Support Forums below and allow the experts there
to analyze it for youPlease DO NOT post your log to this newsgroup. It is
important that you go to one of the HiJackThis Support Forums below and
allow the experts there to analyze it for you.::
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums. Please
follow all posting instructions carefully to avoid having your log deleted
or ignored.)

Also, please post a link where you post your HJT log back here in this
thread so that we can follow your progress there.

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

You should also get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also….. From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

I feel your pain Sammy. I just spent the last 2 days recovering from the
same problems. I wish I read Jan's note below-would have saved time. I used
HijackThis as Jan suggested, but I just picked through what it found and
deleted anything suspicious. I also ran Spy Doctor, and I updated my Norton
AV. I also made sure I had ALL the latest Win XP updates. It all worked in
the end, but now I have some trouble IE. From all the Win XP updates, I got
IE 6.0.29 from SP2. Either the new IE has problems, or I deleted something
from HijackThis or Spy Doctor I should not have. Now IE won't display
certain Ads or embedded pages. I can live with this vs. where I was. Good
luck. Maybe Jan will give me some clues so I can get IE back to normal.
--djs

 

[Jan Il]

Hi Doug

Removing some types of scumware can leave damaged Winsock keys in the
Registry. Some types of warez use the Layered Service Providers (LSP),
which are little bits of software that can be added or inserted into the
Winsocks. Outward bound data from your computer to a legitimate destination
on the Internet can be intercepted by an LSP and sent somewhere other than
where it is supposed to go.

In order to correct the mis-direction, you should download and run the
programs below that apply to your OS, which should resolve the connection
problem. If you are unable to download these programs from the affected
machine, you can download them from another machine and copy them to a
floppy disk or CD, copy them to the hard drive of your machine, then install
and run them.

LSPFix
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

and..

Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip
WinsockXP Fix for XP
http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm

also...

Additional LPS Information:
http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci213375,00.html
http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci213376,00.html
http://computercops.biz/LSPs.html
(scroll down the list to the lsp.dll files here)

If this does not resolve the problems, then you should do a repair of IE as
there may be system files that have been damaged or removed during the
cleaning process>

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows
XP
http://support.microsoft.com/kb/318378/EN-US/
Be sure to visit Windows Update site and let it scan for all needed updates
and service packs afterward.

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[sammy]

Thanks a lot for the advise.
It looks pretty good. I am making all the necessary time available before
starting this (obviously with other projects busy). I will report progress
as soon as I start the "war".
gr

 

[Jan Il]

Hi Sammy

Thanks a lot for the advise.
It looks pretty good. I am making all the necessary time available before
starting this (obviously with other projects busy). I will report progress
as soon as I start the "war".
gr

Very good! I'll keep watch on this thread. If you need help just post back
here. Also, please post a link to the forum where you post your Hijackthis
log so we can follow your progress there as well.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[sammy]

Hi Jan II and all,

Like I said, I will be back with how things have gone. I stayed up last
night to work on this problem.
First of all I run: ALL IN SAFE MODE.
CWShredder - After its work, it reported =====>"Restoring IE Pages - 4
Restored.
File Redirections =====> "None Infected"
Then from the command prompt: netsh winsock reset ==> answer : "not found"
Then run: AboutBuster =====> Removed Data streams.
Then AdAware: all objects found were Quarantined (in case I needed a
restoration)
Then Spybot Search & Destroy ===> problems there, were fixed + pc
Immunized.
I run BHODemon ====> allowed changes in the registry.
And then last but not the least Run HijackThis.
In the log, I found certain strange links which with all confidence I
deleted because I had searched through Google as well for their functions
and appeared related to trojans. I saved the log on diskette for onward
transmission to the hijack forum.

I restarted pc, it looked quite stable despite the deletes + quarantines so
went directly for Windows Updates and then restarted again. Still no sign
of a fightback from the "about blank". I went for an online scan and came
clean there too. I have been jumping from site to site (not for fun) but to
make sure every page shows nicely without blank pages. So far so good.
A lot of time, but at least no new installation. It has been good and for
that reason, I have not been back to the forum with my log.
Question is, is it still necessary to do that? If yes, I can go ahead.

And so, many many thanks for your help.
I thought there won't be time to go through the list I got with all the
steps to follow.

 

[Jan Il]

Hi sammy

Hi Jan II and all,

Like I said, I will be back with how things have gone. I stayed up last
night to work on this problem.
First of all I run: ALL IN SAFE MODE.
CWShredder - After its work, it reported =====>"Restoring IE Pages - 4
Restored.
File Redirections =====> "None Infected"
Then from the command prompt: netsh winsock reset ==> answer : "not found"
Then run: AboutBuster =====> Removed Data streams.
Then AdAware: all objects found were Quarantined (in case I needed a
restoration)
Then Spybot Search & Destroy ===> problems there, were fixed + pc
Immunized.
I run BHODemon ====> allowed changes in the registry.
And then last but not the least Run HijackThis.
In the log, I found certain strange links which with all confidence I
deleted because I had searched through Google as well for their functions
and appeared related to trojans. I saved the log on diskette for onward
transmission to the hijack forum.

I restarted pc, it looked quite stable despite the deletes + quarantines
so
went directly for Windows Updates and then restarted again. Still no sign
of a fightback from the "about blank". I went for an online scan and came
clean there too. I have been jumping from site to site (not for fun) but
to
make sure every page shows nicely without blank pages. So far so good.
A lot of time, but at least no new installation. It has been good and for
that reason, I have not been back to the forum with my log.
Question is, is it still necessary to do that? If yes, I can go ahead.

And so, many many thanks for your help.
I thought there won't be time to go through the list I got with all the
steps to follow.

You're very welcome! Glad to hear you were able to resolve your problem.
Good job!

At first if can seem a pretty daunting task, but, after the first round or
so you sort of get the feel of it. Like learning to drive a stick shift
car. <g>

Yes indeed, please do follow through with the HJT log at the forum, as some
forms of malware can be difficult to sort out, and some residual files can
actually replicate the malware over and over if not fully removed from the
hard drive. So, to be sure you are totally cleaned, follow up with the
forum and let the experts there determine if there are any hidden spores
still to be removed and how to do so if necessary.

If you would, you might post a link to the forum where you posted your log
back to this thread and we can follow your progress there as well.

Thank you for posting back and letting us know what worked for you, and for
the benefit of other readers who might have a similar problem.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[sammy]

I will send it and you will be informed.

gr.

Hi sammy


You're very welcome! Glad to hear you were able to resolve your problem.
Good job!

At first if can seem a pretty daunting task, but, after the first round or
so you sort of get the feel of it. Like learning to drive a stick shift
car. <g>

Yes indeed, please do follow through with the HJT log at the forum, as some
forms of malware can be difficult to sort out, and some residual files can
actually replicate the malware over and over if not fully removed from the
hard drive. So, to be sure you are totally cleaned, follow up with the
forum and let the experts there determine if there are any hidden spores
still to be removed and how to do so if necessary.

If you would, you might post a link to the forum where you posted your log
back to this thread and we can follow your progress there as well.

Thank you for posting back and letting us know what worked for you, and for
the benefit of other readers who might have a similar problem.

Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[Guest]

Just wanted to know are you all running windows xp....I am running windows
2000 and today I found the about: blank spyware and have run everything I
know...will your suggestions work on Windows 2000?

 

[Jan Il]

Hi Jadel

Just wanted to know are you all running windows xp....I am running windows
2000 and today I found the about: blank spyware and have run everything I
know...will your suggestions work on Windows 2000?

Yes, the software is programmed to be used on Windows 2000 as well as other
versions.

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

Hello Jan Il,
I've been going to Start, Run and typing CMD...in the command field, I've
been typing netsh winsock reset. I am receiving a message that my windows
2000 does not recognize this command...what should I do? I have not tried
the other programs.

Thanks,

 

[Jan Il]

Hi Jadel

I've been going to Start, Run and typing CMD...in the command field, I've
been typing netsh winsock reset. I am receiving a message that my windows
2000 does not recognize this command...what should I do? I have not tried
the other programs.

In the part of the information below as posted for the OP in my first reply,
in the (Note:...) it specifies that it is only if you have XP SP2. That is
why it is not working on your Windows 2000, so you can ignore it.

WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also... From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)

Hope this helps

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[sammy]

Hello Jan II and all,

here is the link
http://aumha.net/viewtopic.php?t=12550&start=0&postdays=0&postorder=asc&high
light=
with how things have progressed. My problem is solved and it's been a nice
ending.
If you have problem with the link you can look for the subject "Please
Check My Log - sammy_brk" under the Hijack Logs.


gr. & thanks.