About.Blank ? [Archive] - Glock Talk

PDA

View Full Version : About.Blank ?


Nolyn
01-26-2005, 12:25
I've got some spyware type gizmo that keeps replacing my start page with a pseudo search engine results page entitled about.blank. This also throws up a pop-up ad trying to persuade me to buy some software to fix the problem it created.

I run the latest version of Adaware, but it makes no difference. I also seen in another thread that MS have a product that will fix this anoyance. However, when I go to the MS site the about.blank page pops up and will not let me access MS site. I'm running on ME, so even if I did get on to MS the program would not run on my system.

Anyone know how to get rig of this thing by accessing/deleting files on my computer ?

NetNinja
01-26-2005, 12:36
Oh boy! If you can't access the internet to download any tools you are in trouble unless you can get a buddy to download some tools for you and burn them to a CDrom and install them.

Did you read the sticky on the top of this forum?

Adaware is not the only tool to use.

pyblood
01-26-2005, 13:10
Go to add/remove programs, and remove any programs that you don't recognize.
Go to start - run - msconfig and uncheck and unrecognized programs that are running.
Make sure that your spyware program is up to date with the latest defs. Run again. If you can get to downloads.com get spybot, update it and run it too.

Nolyn
01-26-2005, 14:28
This thing is getting worse, pops up all the time now.

I found some solutions on the internet - on the Ad-Aware site forum for one. These require starting the computer in safe mode, but it won't allow me to do that either.

If I find a better solution I'll post it, in the meantime, here is the one I found
-----------------

pyblood
01-26-2005, 14:31
Make sure that your adaware is it's updates before running in safe mode, because you can't update in safe mode. Safe mode is the best way to remove spyware. Also, make sure install spybot and update it as well. Run adaware, and then run spybot. You should be pretty clean after that.

Washington,D.C.
01-26-2005, 15:12
Download the free version of A-Squared and get updates then run it http://www.emsisoft.com/en/software/free/

Washington,D.C.
01-26-2005, 15:15
From Microsoft http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

Washington,D.C.
01-26-2005, 15:19
Yahoo toolbar with anti spyware works very well http://messages.yahoo.com/bbs?action=l&board=&tid=antispy&sid=394500001&mid=100000

Nolyn
01-26-2005, 15:31
Here is what I found on the Ad-Aware web site forums. Meant to post earlier, but it didn't work.

I am unable to start in safe mode - more trouble.

If I find out who created this they will be worm food !
===========================================================
First, download About:Buster from here. Unzip (extract) the zip file....


Make sure you are connected to the internet still.....

At the first prompt, hit OK. Click 'Update'. A new screen should popup. On that screen hit 'Check for Updates'. If an update is found, then click 'Download Updates' and then once it has done, exit the program. If it doesn't find any update it will automatically tell you and exit. Either way, the program needs to be exited.

Now, boot into safe mode. Instructions on how to do so are at :

http://www.computerhope.com/issues/chsafe.htm

Once in safe mode, Run HijackThis again, close all open windows, put a checkmark next to the following, and press "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C92DA44F-9FD6-9036-5C2C-BBF7930B7BA8} - C:\WINDOWS\system32\atlsj.dll
O4 - HKCU\..\Run: [Ndxbii] C:\WINDOWS\System32\d?dplay.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\sdksd.exe

Still in safe mode;

Delete these files:

C:\WINDOWS\sdksd.exe
C:\WINDOWS\system32\gfhrn.dll

Now, still in safe mode, launch AboutBuster(.exe) you had earlier downloaded.

At the first prompt, hit OK. Now, to scan....Hit 'start' and then 'Ok'. The program should start scanning. (Note: if you receive any prompts about 'terminating explorer.exe', please let it do so - answer YES). Leave it scanning and then restart the computer.

You'll be back into normal 'Windows' mode. Re-run HijackThis and post a new logfile from it.

Washington,D.C.
01-26-2005, 15:49
http://www.softaward.com/8449.html

modgun
01-26-2005, 16:03
This is a bad one, Ive worked on it a few times lately. This is not a simple remove. You need to download and run a program called hijackthis. Remove the offending things (if you do not understand the scan report, post it somewhere that people can tell you what to remove) then there is more to it. You need to clean out certain system folders, like system32, I dont remember all the details.

Start with hijackthis.

Sgt. Schultz
01-26-2005, 20:48
If you are running Windows ME you must disable System Restore completely because the malware will be in the Restore Points. HijackThis is an excellent tool to discover and disable hijackers. A combination of HijackThis and about:Buster works well in removing the about:Blank homepage hijacker.

Nolyn
01-26-2005, 22:42
thanks to all for the input

Nolyn
01-26-2005, 22:53
It seems like everytime I access one of these spymare tool sites the proram on my computer hijacks the browser and takes me to 'spyware doctor' page, or a phoney search engine results page that takes me to 'Stopzilla'

Looks like whoever wrote this program is affiliated with Stopzilla and/or 'spyware doctor'

Looks like a job for our friends at the FBI

Washington,D.C.
01-26-2005, 23:00
See if you can install another browser http://www.mozilla.org/products/firefox/ and CCleaner is one of the best utilities for Windows ME http://www.ccleaner.com

podwich
01-28-2005, 17:26
Did you ever get it fixed? My brother got the same thing on his computer and has yet to figure it out.

Nolyn
01-28-2005, 17:45
No solution here yet.

This thing has built in protection and won't let me access sites that may have a solution. It also won't allow me to start my computer in safe mode.

I reported it to the FBI Internet Fraud department. I recommend that everyone report it, then they will track down who is responsible. If you click on the link that pops up telling you that you have an infection it takes you to Stopzilla.com, so I figure that these people must be the people behind it.

All I can do is wait for AVG, Ad-Aware, or Spybot to come up with a solution. If it gets worse before they find a fix I will just have to rebuild the computer HD from scratch.

If anyone knows more please let me know.

HandyMan Hugh
01-28-2005, 18:13
There is hope! I had the same "About Blank" infestation in my computer. A friend of mine who works in IT at a credit union was able to install a couple of programs that finally ferreted out the offending software. The browser hijacker apparently has some intelligence to it and was adapting to some of my tactics to get around it. It was getting quite agressive. SpyBot is one of the routines my friend installed, along with AVG (an anti-virus program), and Spyware Blaster. I already had a Microsoft anti spyware program (in Beta Test) and Spyware Vanisher. Between all of these we finally managed to rid my machine of its problems.

I'd like to be able to spend 10 minutes alone in a room with the writer of the "About Blank" routines. He should be handcuffed, and I should have a baseball bat!:soap: :soap: :soap:

modgun
01-28-2005, 18:24
Did you run "hijackthis"?

podwich
01-28-2005, 23:31
I talked my brother through some stuff over the phone. I had him run NAV, AdAware, SpyBot S&D, CWShredder and HijackThis! (new defs on everything). I ran the programs in safe mode after being unsuccessful in normal mode.

NAV found nothing, AdAware found stuff related to CWS (which we then had it delete), CWShredder didn't fix it, and Spybot was also unsuccessful.

Interestingly, the first time starting IE after trying to remove it, IE would start normally. The second time it'd be back to the about:blank.

We haven't figured it out yet. It's likely he'll end up erasing everything and starting over.

HijackThis!'s log is attached.

modgun
01-29-2005, 01:44
podwich:

C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe

Just to start, this is a problem.
One is a true system file, one is the about:blank.

Sgt. Schultz
01-29-2005, 08:53
rundll32.exe is also a process which is registered as the W32.Miroot.Worm.


This is probably not the answer you are looking for but the only sure way to eradicate a trojan or worm is to do a clean re-installation of your operating system. And while I'm on the subject of OS's you should replace Windows ME ... It's been a problem child ever since its introduction.

Blaster
01-29-2005, 13:16
I just got bitten by this problem last night. This is the second time now that this has happened. The first time I was forced to reload everthing to fix the problem. Looks like I'm going to have to reload again!

Apparently this only happens if you use IE so I'm now no longer using IE except for when I have to on my work intranet.

Today I purchased one of those programs that claims to clean this problem. It did not work! Don't bother with "Spyware Doctor" save the $29.95.

Also if you haven't noticed the web page "about:Blank" seams to be resident on my computer because no internet connection is required to bring it up.

modgun
01-29-2005, 17:46
Firefox

You will love it.

neeko
01-29-2005, 17:59
Stop using IE

podwich
01-30-2005, 01:45
Originally posted by modgun
podwich:

C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe

Just to start, this is a problem.
One is a true system file, one is the about:blank.

Thanks, I'll tell him.

Nolyn
01-30-2005, 10:44
Here is an easy fix - it works, and it's free.

AdwareAway.com

I ran the specific hijacker application for about:blank in this program, and within 2 minutes I was clean. Just hope it stays that way too.

This program is free for 5 days, then you need to buy a license ($30).

Steer clear of spyware doctor - lots of complaints about these people (rip-off)

Nolyn
01-31-2005, 09:57
Just an update

I'm still running clear

Adware Away is the only product that worked against about:blank. I had to run the program several times - they recommend cleaning, then re-start and clean again. I actually performed it 3 times just to be sure.

No guarantee that it won't come back in a few days, but I'm hoping....

Blaster
01-31-2005, 11:57
Originally posted by Nolyn
Just an update

I'm still running clear



Your lucky nothing worked for me. I had to re-image my hard drive. Now I'm using Firefox and loving it.

Tvov
01-31-2005, 18:07
One more thing to try...

Try using your basic "search" function. Look for the whole name and variations of the name as files. Sometimes this brings up interesting results.