Jump to content
Compatible Support Forums
Sign in to follow this  
Rizon

Browser Hijack, about:blank Search, sp.html, and friends

Recommended Posts

Hey, I found the main programs, they're called "Serach Extender", "ShoppingWizard" and "Home Search Assistant" go remove it in your add remove programs smile

 

If you've done the procedure I just explained, then it wont find them and it will leave the garbage there, you need something like Tweak XP to delete the entry. They are harmless now though, as the main threat is taken care of. smile

 

 

rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/SearchExtender.html

rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html

rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/HomeSearchAssistant.html

 

Maybe it was hooked into the url.dll?Maybe someone from BHO can examine how I defeated it, so we can know what exactly was the main program and how it replicated and why.

Share this post


Link to post

Or, you can go to the registry and delete the entries. Open start\run type in regedit. Be careful here, it's not to be messed with, if you get confused, just use tweak xp or something.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

 

Scroll the list to find <

 

"Serach Extender"

"ShoppingWizard"

"Home Search Assistant"

 

then right click that folder and delete.

 

Hijack has been destroyed

 

Mission Accomplished

 

Game Over.

 

end of line

Share this post


Link to post

Didn't go thru your way, I found it differently. I happened to remember the original name I started deleting, AND the creation date. After a couple frustrating hours, I searched the DATE and found the original filename in the \restore\temp directory. (WinMe) with an extension of .o along with a couple other files on the drive from that date (7/24/2004). Not sure yet what else was interconnected, but this seems to have killed it.

Incidentally, two days ago I cleaned one that actually loaded in Safe mode in XP! Couldn't be deleted. Had to boot from Winternals CD (not cheap) attach to the XP installed, and delete the file. Worked like a charm.

 

Share this post


Link to post

Cool, funny that, that was the way I was doing it originally.

But, I found that, I had more files then just one, "I had over 90 files to delete" so I thought to order them by date, but because I had forgotten when I got this and all those dll's that I deleted a few weeks ago, I would be looking for files I have no idea when they were created, so I couldn't order by date.

 

But the new files I could keep track of were created at the same time "cause I seen them created on the fly", but what's funny is, their dates didn't match, so I wasen't sure if they were part of the hijack, as the programmer probably thought of this too. So I done it by file size, because this is what I knew for certain.

Share this post


Link to post

Windows Xp/2000 restore point fix's it.The D:\I386\winnt32.exe /cmdcons for those peep's that dont have a good restore point. I'll try and use IQ454's file size fix for the win98 boxs i get today. If the fix dosent work ill be going back to the deleat partion format (win re install) fix that does work. I'm not used to being stumped like this normaly there is always a fix for crap like this (But this ones differnt so far). One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd. I'm hopeing that IQ454's fix works on all the comps i come across today so's we can put this About:Blank hijack to rest. Is there a name for this one yet? is it a spyware, adware, virus or pest or all of the above??

Share this post


Link to post

Yep, RC probably would have worked, was in the system32 directory. I just had Winternals sitting here next to me, as I use it regularly enough. Struck me as interesting, I take this crap out of systems daily, first one that I've seen loads in Safe mode.

 

Part of the ease (for lack of a better term) of taking out crapware HAS been the fact of recognizing more recent dates in the files, I've only seen a couple using older dates. When the scumbags get smarter and put old file dates.... then the job gets harder.

 

Share this post


Link to post

Originally posted by a1_andy:

One thing i can say is its been makeing us Comp tec's lots of work, but i never feel good reformating a customers comp. I'd perfer to remove the culprit('s) instesd.

 

 

So would I, formatting is a last resort most of the time. Lately, though, the crap has been getting smarter, and it's getting personal. Damned if I'll let them get the best of me.

 

Share this post


Link to post

So far so good, 3 outa 4 win98 boxs fixed aint bad. 4th one was a truly infested. One thing that i did fined that IQ454 maynot have had or noticed is that Launching "Notepad.exe" would create the problem all over again. notepad seemed to be infested. so as well as IQ454's method i del all the notepad.exe programs i can fined and replace it with a good one. And i instead of Del the files right away i move them to a new folder. (just incase its a real os/program file) I also remove the hard drive after removeing the reg enties, then do the file matching then moving with th HD as a slave in anouther box, win2k. Thanx IQ454, tis beat (for now I think).

Share this post


Link to post

Oh and seeing as Notepad.exe was recreating this hijack on launch, This Hijack should be clasifide as a Virus, also beacuse it recreates itself when inproperly removed. In my opinion.

I think im going to make my notepad.exe in both my windows folder and system32 folder as "read only" and see if this hijack can still infest me. Something to do this weekend. I wonder....

Share this post


Link to post

Update..LOL

Eather the Hijack is gone (off the net) or changing the 2 notepad.exe's to read only prevents the hijack from even takeing place. I surfed all the smut that i could think of in the last hours with no popup blocker or firewall (getting hundreds of popups) and blindliy clicking away on all the links i could find. Then as im closeing up the Ie windows i notice sevral small box's in the top left of my screen blank, I couldent expand it or veiw its properties/contents. Then the header changes to "syntax error". LOL. Im gona try all weekend to get this hijack again to see if this is a real way of blocking hijacks and ad-ware from being installed without permision's. Wouldent it be nice if this was the be all of end all of fixes for this problem. In all my ad-ware scans found nothing but cookies surly i should have got a addware by now? I'm gona keep trying. and i'd enjoy some feedback on this. maybe name some sites for me that will surely give me some ad-ware, spywares and/or hijack's?? know of eny??

winxp sp1

Share this post


Link to post

Ahhhhh, so that's why when I used notepad it would close down the pad I was reading or using ATT. Good call Andy'. How did you figure that one out?

 

Can you post me a hijack this log on the 4th machine?

Share this post


Link to post

aww i guess so, but i didnt use hijack this i just read your instructions and noticed that notepad was creating the original hijack files. but i'll go into the office on saterday and run it for you. thats the least i could do for you. thanx again

Share this post


Link to post

no probs ,

 

I need you to run it so I can check to log to see if I can run you through it so we don't have to format their machine. It's just easier for me to read the log rather than post back and forth on theories.

 

IQ

Share this post


Link to post

Ahh sorry, I missed your update, okay, so then you fixed machine 4? Nevermind about the log then. smile

 

Although I'm sure it would be an active x control that's the cause, and then maybe created a hybird for notepad to send info off, which isn't really infected, because I found one file that was write protected "jlkopi.log". It seems that the main ocx file created dll's and dats first off, and if anyone of those files got deleted and we missed one, because all files are exactly the same thing, even though the extentions were different, (because I checked the javascripts) it was still the same file, just many variations of it.

 

And notepad might have been infected to enable it to plant a log file for feedback on everything that was happening on the system and to the files it created. Now that log file would've created a hybrid link which talks to notepad evertime it's open to record info for the log, and when you hit the net it sends the info back to the creator, and the hybrid change will happen everytime you hit the net or change its routined files, it will enable it to tell the main dll to do the redirecting. And if all were deleted and the ocx was left, then that ocx would've created alternate files of different sizes with random names, sorta like a stage 2 infection.

 

So,

stage 1, ocx creates dll and dats, dats get deleted.

stage 2, ocx creates dll. dll gets deleted, ocx creates new dll, and exe's to match. dll gets deleted, exe's can't find active dll, exe's tell ocx that dll can't be found, ocx then creates a new dll with another random name, and exe's to match, ocx finally gets found and deleted, dll can't find ocx and creates more exe's of itself incaase it's found, exe's recreate ocx incase both are found, dll gets deleted, exe's create another dll, exe's get deleted, dll creates more exe's with another dll that deletes itself.

 

Restarts stage 2 with new instructions. ocx creates dll's and exe's with different file names and splits the files into smaller pieces changing the files size also. And ends there. Then starts all over again if any are left behind. Either of the files left behind(which have all got the same instuctions) will create what it needs again to start the process all over

 

Log files link to the main ocx, dat, dll, exe's has been severed, notepads link to log file has been severed, log file goes ape shit and creates more dll's with random names but always the same size from now on, dll's get deleted, BHO turns the dll off, ocx can't find dll, ocx creates new dll, and so on and so forth...

 

stage 1

dat=56kB x 1 dll x 1 dll(deleted itself) = 19kB =94kB

stage 2

exe=32kB x 3 = 96kB...exe's are right protected.

exe=32kB x 1 dll = 64kB = 96kB....exe and dll are right protected.

txt=96kB...txt is right protected.

dll=96kB...dll is right protected.

ocx=96kB...ocx is right protected.

 

Main point?

 

ocx created 2 versions of itself in the beginning, then once tha tversion was found and defeated, it would then create another 6 versions of itself. Even though they are different extentions and different file sizes, they're still the same exact file combined.

Share this post


Link to post

I tried to solve the problem with hijacked about:blank homepage as follows (Windows ME):

I located the .dll files with SpywareGuard or BHO Demon 2.0. In my case:

C:\windows\bruhh.dll/sp.htm#29126

The size of the file was 91kB.

I opened the file with notepad in windows explorer. I looked for more .dll files of the same size in windows folder and system folder. I found more than 10 of them under the names tdfva.dll, addgn.dll, addgn.dll, apiix.dll, sdkyq.dll, taddwq.dll, syzda.dll, ntpt32.dll, javacp32.dll, netaf32.dll, javaxo32.dll, netan.dll, apicz32.dll, cryk32.dll. I opened them all with notepad. I found out that the content of all files is the same as the content of the detected file bruhh.dll. I deleted the content of the files one after other and saved the changes (under their original names). So all the mentioned .dll files are now empty (and harmless) files in windows and system folders. Since then I have no problems.

Share this post


Link to post

iq454, you are an utter GENIUS!! laugh

 

I used the "Search for files of 96, 91, 64 and 32Kb" method, then deleted SE, SW and HSA from the Registry and now my internet connection is restored and zooms along just fine!

 

There aren't enough words to express my thanks to you, so I'll have to come round to your house and prostrate myself at your feet!

 

MUCHAS, MUCHAS GRACIAS!

VIELEN DANKE!

 

Chris

 

Varium et mutabile semper Excel

 

Share this post


Link to post

I just spent a miserable three months hammering weekly at the Lavasoft "help" site trying to get rid of the About:Blank hijack. I'm on a Win2K box running SP4, IE6 SP1.

 

Everything they suggested (repeatedly, whether it worked at all or not) did nothing. Or at least nothing permenant.

 

This is what I did to get rid of it, and it seems to work like a champ:

****************

Run AdAware current version and delete all the crap it finds.

 

Run About:Buster's latest version.

 

After running the A:B, I rebooted. The boot into Win2K was interreupted by a messagebox asking me if I wanted to run a .dat. I said no ("cancel") - the machine finished booting and the IE home page was still "About:Blank", but actually blank.

 

I went to my system32 directory (C:\WINNT\system32), and sorted by file type. I found about 20 .dat files with seemingly random file names, all 6 chars long. I then sorted by file size, and deleted (actually, I just moved them to a new directory first, then deleted after another successful reboot) every .dat that was 91k in size.

 

Everything is back to normal now, after resetting my home page to the one I wanted.

 

Seems a lot simpler than running HJT! and AB a zillion times, don't it?

 

Hope this helps, gang...

 

c.

 

Share this post


Link to post

I found that page about two months ago. It refers to registry keys that do not exist and a registry editing tool which does not perform as described in the text.

 

It's useless.

Share this post


Link to post

Ok, while this program SUCKS, I came up with a non techie solution. I had run Adaware....of course to no avail, and Norton....no help there either.....

Then.... I saw the *.dll file that was screwy, which Adaware found but could not delete. I went into my computer for a manual delete, but it wouldnt let me delete it. It did however let me rename it. So I renamed the .dll file and now it cant be found to be accessed. Browser is no longer being hijacked!!!! smilesmilesmile

Share this post


Link to post

Your browser isn't being hijacked, but you can bet you sitll have the stuff on your system sending out info laugh...

 

If a file won't delete, all you have to do is go to safe mode to delete it...

 

And also make sure if you have xp to turn off system restore, clean everything, make sure it's clean, then turn system restore back on and create new restore point. Then guard yourself like Alec§taar said, and even try those new browsers, they're safer. You might only need IE for special cases.

 

iq

Share this post


Link to post

Dude I fought with that bewitched sp.html & sp.htm about blank hijacking problem for months. Hijack this and adaware would get rid of it only temporarily.

 

I ran this tool and it is completely gone. It has been well over a week and no problems.

 

http://securityresponse.symantec.com/avcenter/FxAgentB.exe

 

they have some instructions for running it here.

 

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html

 

Hope you have success. I know this also worked for one other guy. Yet another guy ran it and it did not work for him.

 

I would delete all your temp files and run spyware tools first.

 

leave a post here if it works.

Share this post


Link to post

with the amount of hits this thread gets it makes u wonder how far these nasties have got! Oh dear ;(

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×