iq454 0 Posted September 9, 2004 Hey, I found the main programs, they're called "Serach Extender", "ShoppingWizard" and "Home Search Assistant" go remove it in your add remove programs If you've done the procedure I just explained, then it wont find them and it will leave the garbage there, you need something like Tweak XP to delete the entry. They are harmless now though, as the main threat is taken care of. rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/SearchExtender.html rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/HomeSearchAssistant.html Maybe it was hooked into the url.dll?Maybe someone from BHO can examine how I defeated it, so we can know what exactly was the main program and how it replicated and why. Share this post Link to post
iq454 0 Posted September 9, 2004 Or, you can go to the registry and delete the entries. Open start\run type in regedit. Be careful here, it's not to be messed with, if you get confused, just use tweak xp or something. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Scroll the list to find < "Serach Extender" "ShoppingWizard" "Home Search Assistant" then right click that folder and delete. Hijack has been destroyed Mission Accomplished Game Over. end of line Share this post Link to post
ozonedman 0 Posted September 9, 2004 Didn't go thru your way, I found it differently. I happened to remember the original name I started deleting, AND the creation date. After a couple frustrating hours, I searched the DATE and found the original filename in the \restore\temp directory. (WinMe) with an extension of .o along with a couple other files on the drive from that date (7/24/2004). Not sure yet what else was interconnected, but this seems to have killed it. Incidentally, two days ago I cleaned one that actually loaded in Safe mode in XP! Couldn't be deleted. Had to boot from Winternals CD (not cheap) attach to the XP installed, and delete the file. Worked like a charm. Share this post Link to post
iq454 0 Posted September 9, 2004 Cool, funny that, that was the way I was doing it originally. But, I found that, I had more files then just one, "I had over 90 files to delete" so I thought to order them by date, but because I had forgotten when I got this and all those dll's that I deleted a few weeks ago, I would be looking for files I have no idea when they were created, so I couldn't order by date. But the new files I could keep track of were created at the same time "cause I seen them created on the fly", but what's funny is, their dates didn't match, so I wasen't sure if they were part of the hijack, as the programmer probably thought of this too. So I done it by file size, because this is what I knew for certain. Share this post Link to post
a1_andy 0 Posted September 9, 2004 Windows Xp/2000 restore point fix's it.The D:\I386\winnt32.exe /cmdcons for those peep's that dont have a good restore point. I'll try and use IQ454's file size fix for the win98 boxs i get today. If the fix dosent work ill be going back to the deleat partion format (win re install) fix that does work. I'm not used to being stumped like this normaly there is always a fix for crap like this (But this ones differnt so far). One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd. I'm hopeing that IQ454's fix works on all the comps i come across today so's we can put this About:Blank hijack to rest. Is there a name for this one yet? is it a spyware, adware, virus or pest or all of the above?? Share this post Link to post
ozonedman 0 Posted September 9, 2004 Yep, RC probably would have worked, was in the system32 directory. I just had Winternals sitting here next to me, as I use it regularly enough. Struck me as interesting, I take this crap out of systems daily, first one that I've seen loads in Safe mode. Part of the ease (for lack of a better term) of taking out crapware HAS been the fact of recognizing more recent dates in the files, I've only seen a couple using older dates. When the scumbags get smarter and put old file dates.... then the job gets harder. Share this post Link to post
ozonedman 0 Posted September 9, 2004 Originally posted by a1_andy: One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd. So would I, formatting is a last resort most of the time. Lately, though, the crap has been getting smarter, and it's getting personal. Damned if I'll let them get the best of me. Share this post Link to post
a1_andy 0 Posted September 10, 2004 So far so good, 3 outa 4 win98 boxs fixed aint bad. 4th one was a truly infested. One thing that i did fined that IQ454 maynot have had or noticed is that Launching "Notepad.exe" would create the problem all over again. notepad seemed to be infested. so as well as IQ454's method i del all the notepad.exe programs i can fined and replace it with a good one. And i instead of Del the files right away i move them to a new folder. (just incase its a real os/program file) I also remove the hard drive after removeing the reg enties, then do the file matching then moving with th HD as a slave in anouther box, win2k. Thanx IQ454, tis beat (for now I think). Share this post Link to post
a1_andy 0 Posted September 10, 2004 Oh and seeing as Notepad.exe was recreating this hijack on launch, This Hijack should be clasifide as a Virus, also beacuse it recreates itself when inproperly removed. In my opinion. I think im going to make my notepad.exe in both my windows folder and system32 folder as "read only" and see if this hijack can still infest me. Something to do this weekend. I wonder.... Share this post Link to post
a1_andy 0 Posted September 10, 2004 Update..LOL Eather the Hijack is gone (off the net) or changing the 2 notepad.exe's to read only prevents the hijack from even takeing place. I surfed all the smut that i could think of in the last hours with no popup blocker or firewall (getting hundreds of popups) and blindliy clicking away on all the links i could find. Then as im closeing up the Ie windows i notice sevral small box's in the top left of my screen blank, I couldent expand it or veiw its properties/contents. Then the header changes to "syntax error". LOL. Im gona try all weekend to get this hijack again to see if this is a real way of blocking hijacks and ad-ware from being installed without permision's. Wouldent it be nice if this was the be all of end all of fixes for this problem. In all my ad-ware scans found nothing but cookies surly i should have got a addware by now? I'm gona keep trying. and i'd enjoy some feedback on this. maybe name some sites for me that will surely give me some ad-ware, spywares and/or hijack's?? know of eny?? winxp sp1 Share this post Link to post
iq454 0 Posted September 10, 2004 Ahhhhh, so that's why when I used notepad it would close down the pad I was reading or using ATT. Good call Andy'. How did you figure that one out? Can you post me a hijack this log on the 4th machine? Share this post Link to post
a1_andy 0 Posted September 10, 2004 aww i guess so, but i didnt use hijack this i just read your instructions and noticed that notepad was creating the original hijack files. but i'll go into the office on saterday and run it for you. thats the least i could do for you. thanx again Share this post Link to post
iq454 0 Posted September 10, 2004 no probs , I need you to run it so I can check to log to see if I can run you through it so we don't have to format their machine. It's just easier for me to read the log rather than post back and forth on theories. IQ Share this post Link to post
iq454 0 Posted September 11, 2004 Ahh sorry, I missed your update, okay, so then you fixed machine 4? Nevermind about the log then. Although I'm sure it would be an active x control that's the cause, and then maybe created a hybird for notepad to send info off, which isn't really infected, because I found one file that was write protected "jlkopi.log". It seems that the main ocx file created dll's and dats first off, and if anyone of those files got deleted and we missed one, because all files are exactly the same thing, even though the extentions were different, (because I checked the javascripts) it was still the same file, just many variations of it. And notepad might have been infected to enable it to plant a log file for feedback on everything that was happening on the system and to the files it created. Now that log file would've created a hybrid link which talks to notepad evertime it's open to record info for the log, and when you hit the net it sends the info back to the creator, and the hybrid change will happen everytime you hit the net or change its routined files, it will enable it to tell the main dll to do the redirecting. And if all were deleted and the ocx was left, then that ocx would've created alternate files of different sizes with random names, sorta like a stage 2 infection. So, stage 1, ocx creates dll and dats, dats get deleted. stage 2, ocx creates dll. dll gets deleted, ocx creates new dll, and exe's to match. dll gets deleted, exe's can't find active dll, exe's tell ocx that dll can't be found, ocx then creates a new dll with another random name, and exe's to match, ocx finally gets found and deleted, dll can't find ocx and creates more exe's of itself incaase it's found, exe's recreate ocx incase both are found, dll gets deleted, exe's create another dll, exe's get deleted, dll creates more exe's with another dll that deletes itself. Restarts stage 2 with new instructions. ocx creates dll's and exe's with different file names and splits the files into smaller pieces changing the files size also. And ends there. Then starts all over again if any are left behind. Either of the files left behind(which have all got the same instuctions) will create what it needs again to start the process all over Log files link to the main ocx, dat, dll, exe's has been severed, notepads link to log file has been severed, log file goes ape shit and creates more dll's with random names but always the same size from now on, dll's get deleted, BHO turns the dll off, ocx can't find dll, ocx creates new dll, and so on and so forth... stage 1 dat=56kB x 1 dll x 1 dll(deleted itself) = 19kB =94kB stage 2 exe=32kB x 3 = 96kB...exe's are right protected. exe=32kB x 1 dll = 64kB = 96kB....exe and dll are right protected. txt=96kB...txt is right protected. dll=96kB...dll is right protected. ocx=96kB...ocx is right protected. Main point? ocx created 2 versions of itself in the beginning, then once tha tversion was found and defeated, it would then create another 6 versions of itself. Even though they are different extentions and different file sizes, they're still the same exact file combined. Share this post Link to post
iq454 0 Posted September 11, 2004 Edit: corrections.. "write protected".. Share this post Link to post
oasis 0 Posted September 17, 2004 I tried to solve the problem with hijacked about:blank homepage as follows (Windows ME): I located the .dll files with SpywareGuard or BHO Demon 2.0. In my case: C:\windows\bruhh.dll/sp.htm#29126 The size of the file was 91kB. I opened the file with notepad in windows explorer. I looked for more .dll files of the same size in windows folder and system folder. I found more than 10 of them under the names tdfva.dll, addgn.dll, addgn.dll, apiix.dll, sdkyq.dll, taddwq.dll, syzda.dll, ntpt32.dll, javacp32.dll, netaf32.dll, javaxo32.dll, netan.dll, apicz32.dll, cryk32.dll. I opened them all with notepad. I found out that the content of all files is the same as the content of the detected file bruhh.dll. I deleted the content of the files one after other and saved the changes (under their original names). So all the mentioned .dll files are now empty (and harmless) files in windows and system folders. Since then I have no problems. Share this post Link to post
relmanz2000 0 Posted September 30, 2004 iq454, you are an utter GENIUS!! I used the "Search for files of 96, 91, 64 and 32Kb" method, then deleted SE, SW and HSA from the Registry and now my internet connection is restored and zooms along just fine! There aren't enough words to express my thanks to you, so I'll have to come round to your house and prostrate myself at your feet! MUCHAS, MUCHAS GRACIAS! VIELEN DANKE! Chris Varium et mutabile semper Excel Share this post Link to post
coryphaena 0 Posted October 27, 2004 I just spent a miserable three months hammering weekly at the Lavasoft "help" site trying to get rid of the About:Blank hijack. I'm on a Win2K box running SP4, IE6 SP1. Everything they suggested (repeatedly, whether it worked at all or not) did nothing. Or at least nothing permenant. This is what I did to get rid of it, and it seems to work like a champ: **************** Run AdAware current version and delete all the crap it finds. Run About:Buster's latest version. After running the A:B, I rebooted. The boot into Win2K was interreupted by a messagebox asking me if I wanted to run a .dat. I said no ("cancel") - the machine finished booting and the IE home page was still "About:Blank", but actually blank. I went to my system32 directory (C:\WINNT\system32), and sorted by file type. I found about 20 .dat files with seemingly random file names, all 6 chars long. I then sorted by file size, and deleted (actually, I just moved them to a new directory first, then deleted after another successful reboot) every .dat that was 91k in size. Everything is back to normal now, after resetting my home page to the one I wanted. Seems a lot simpler than running HJT! and AB a zillion times, don't it? Hope this helps, gang... c. Share this post Link to post
lcabyss 0 Posted October 27, 2004 I got that nasty spyware/virus a while back and it took me FOREVER to get rid of it! Extremely obnoxious!!! Here is a site w/ instructions I found on how to get rid of it. Sounds like the same thing I had so hopefully this will work for you also. http://www.akadia.com/services/about_blank_virus.html Share this post Link to post
coryphaena 0 Posted November 1, 2004 I found that page about two months ago. It refers to registry keys that do not exist and a registry editing tool which does not perform as described in the text. It's useless. Share this post Link to post
RollaJ 0 Posted November 11, 2004 Ok, while this program SUCKS, I came up with a non techie solution. I had run Adaware....of course to no avail, and Norton....no help there either..... Then.... I saw the *.dll file that was screwy, which Adaware found but could not delete. I went into my computer for a manual delete, but it wouldnt let me delete it. It did however let me rename it. So I renamed the .dll file and now it cant be found to be accessed. Browser is no longer being hijacked!!!! Share this post Link to post
iq454 0 Posted December 6, 2004 Your browser isn't being hijacked, but you can bet you sitll have the stuff on your system sending out info ... If a file won't delete, all you have to do is go to safe mode to delete it... And also make sure if you have xp to turn off system restore, clean everything, make sure it's clean, then turn system restore back on and create new restore point. Then guard yourself like Alec§taar said, and even try those new browsers, they're safer. You might only need IE for special cases. iq Share this post Link to post
dltn4 0 Posted December 8, 2004 hi today i had the same problem cw chredder came out with a new version 2.1 ran it and fix took out about blank. hope this helps. http://www.majorgeeks.com/download3019.html Share this post Link to post
webmonkeymon 0 Posted December 22, 2004 Dude I fought with that bewitched sp.html & sp.htm about blank hijacking problem for months. Hijack this and adaware would get rid of it only temporarily. I ran this tool and it is completely gone. It has been well over a week and no problems. http://securityresponse.symantec.com/avcenter/FxAgentB.exe they have some instructions for running it here. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html Hope you have success. I know this also worked for one other guy. Yet another guy ran it and it did not work for him. I would delete all your temp files and run spyware tools first. leave a post here if it works. Share this post Link to post
ScinteX 0 Posted January 3, 2005 with the amount of hits this thread gets it makes u wonder how far these nasties have got! Oh dear ;( Share this post Link to post