Ok, that seemed too easy?
 
I ran the BHO Demon, and it found two ... Norton and Acrobat Reader helper. I disabled both just to be safe (Don't use Norton anymore, and don't use AR anywhere but work).
 
Anyways, I started up IE and the page was no longer hijacked, instead replaced by Google.com. I changed it back to about:Blank and it looks like it's staying there.
 
I think the offending BHO was PHKNA.dll. I didn't get any hits in Google for it, and after deleting it, it just re-adds itself later.
 
Is this all that needs to be done for now?
 
PS: How do these about:blank hijacks come through, by clicking on a website or manually downloading something infected?
 
PSS: Thanks for your help, Alec.

Sounds very similar to CoolWebSearch - nasty bastard of a bit of malware.

I 've seen it and removed it with a program called HijackThis, found at http://www.spywareinfo.com/~merijn/index.html
 
Another one I'd recommend is CWSHredder found at http://www.spywareinfo.com/~merijn/files/hijackthis.zip
 
H.

About:Buster by RubbeR DuckY

I've got this same problem on my system (Win2K Pro) and have been unsuccessful at getting rid of it now for about a month. The program that seems to regenerate a new randomly named .dll in the system32 folder (always 30k in size) is IE. I have run all the same anti-spy programs that are listed here and even when it seems gone, a reboot and subsequent use of IE brings it back to life again. If I catch it early enough, I can manually delete the .dll and the system usually doesn't bog down but having this thing on my system is a serious problem since I don't know WHAT information it is capturing and sending out. If anyone ever finds a solution to this, please let me know. I have had some problems that have caused a lot of aggravation over the years, but this one is beyond my ability to solve. Thanks in advance for any continued information that might come along on this particular bug.

Here is link I found online that shows you how to remove this beast:
 
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html
 
People have said this worked for them, but this has NOT worked for me. I am unable to delete the reg key picked up by reglite, but I am able to remove the DLL file. (Read on to the button to see why this doesn’t work for me).
 
So here are the programs I TRIED to use to remove this malware!
 
-Ad aware 6.0 w. updates
-Spybot w. updates (doesn’t seem like they update anymore though)
-Latest version of cwshedder
-Hijack this
-Spy Sweeper with updates (takes a long time to scan but picks up more stuff than spybot/adaware)
-BHO Demon 2.0 (picks up the randomly generated .dll file
 
None of these programs have helped me remove this nasty spyware..
 
*all done in safe mode btw*
 
-so the spyware creates an sp.html in your local temp folder
-I delete all the temp folders, startup files and reg keys, etc.
-I delete the .dll that is picked up from the BHO Demon 2.0 BUT IT GETS CREATED AGAIN with another file name.
 
So there must be another hidden file (most likely a dll file) that is causing this problem.
 
If anybody has any insight on where to look or want to discuss this further, let me know.
 
Thanks
;(

just wanted to say because of a search I did on Google, I was able to fix my little "sp.html" problem on one of my Folding@Home servers. You guys are life savers. Thanks.
 
 

I just solved that problem last night: drive by download, I found the search assistant had been activated. Particulars: problem file was ps.html, put in the temp dir. other problems caused too.
 
I was alerted to an outgoing attempt by ZoneAlarm Pro (the culprit tried to phone home, it was named on-line.exe. When it failed it deleted itself from the downloaded files folder under windows.
 
I did a search for files that had been modified w/in last day, and found in system32 a .dll file named jsjfc.dll (I think that was the name)... I could not delete the .dll (WTFO?) I tried looking for rogue services, but I keep a tight rein on them and found nothing there that was not supposed to be (though I did find an instance of macrovisions C-Dilla, which I also cleaned out!!)
 
Well anyway, I also found I had a permanent search page appearing on IE6 (I use about blank). And NOTHING I did got rid of it.
 
Here's how I fixed it.
 
1) I ran ad-aware, that ID several problems, and I deleted all the items it ID (this unfortunately included some links under all of the "default" favorites folders in IE, including for example "Entertainment." I will be changing all of the default favorite top-folder names this evening...
 
2) I ran regseeker's clean registry tool several times. I also did searches for file commands, etc. I had to go this route because the event viewer showed nothing! Neither did the Services listing.
 
3) I opened XTeqPro and looked at the Internet Explorer sub-links (under the internet heading), and found that a strange BHO that had not been there before (it has NAV and ACROBAT, I cleared the others months ago). XTeqPro will tell you where the BHO is located (instead of having to search for the CLSID). I did that and found the DLL I named above, in the system folder. Ok, now I know the culprit. This one turned out to be the sticker...
 
4) I reran a search in RegSeeker for the DLL name (a GREAT!!! freeware program by the way) and found several instances of the DLL listed in the registry. One of them actually included an unistall line!!! Duh. I opened the registry entry, and copied the uninstall line.
 
5) I opened Run and ran the uninstall line. That "disconneted" the DLL, which I was now able to delete directly in Windows Explorer. I opened IE and found the search page gone.
 
6) I reran regSeeker and deleted every entry with that name from the search window, did the same in the clean registry box.
 
7) I found an odd .tmp file in the system32 folder, named meebooee.tmp or some such, which I moved out of that folder and tried to delete, but I could not!! Hmmm... I changed the name, still could not delete it... Ok. I ran task manager, killed explorer, then reran explorer, then was able to delete the file.
 
8) I ran ZoneAlarm's cleaner, then ran Erase on some files(another great freeware tool); then manuall checked all of the temp dirs on the machine to be sure I had got rid of all cookies and links.
 
9) I logged out and back in, then ran XteqPro, and looked at the BHOs again, and LO!!! I found two more odd ones! The culprit had replanted itself on uninstall (as I had expected). However, I had moved the temp file and deleted it, then I manually searched the registry for the now 3 BHOs listed in XTeq. I found two entries for each BHO, on CLSID and one BHO entry. I deleted them, logged out, and back in, and back into Xteq, and all was gone.
 
10) I ran regseeker clean up one more time, then ran regclean (I use WinXP w/ updates, etc; heavily tweaked, and I find that RegClean STILL does a good job...). It found some stuff wrong, fixed that.
 
11) I restored my favorites from my most recent back-up, and checked everything out. All was still fine this a.m. when I checked again.
 
Note 1: I use ZoneAlarm Pro, NAV, WinXP w/ SP1, lots of tweaks and service disabled, etc. This was the first time I had this happen. Having XteqPro, Ad-Aware, RegSeeker, Eraser, CacheCleaner, RegClean, etc. All helped. I find I use all of these fairly regularly.
 
Note 2: WinXP SP2 is supposed to prevent these kinds of attacks, and that is supposed to be released today I think. Figures. Oh well it was a learning experience. I'd love to sugar the gas tank of the *^%$%$% who planted that seed...
 
Regards,
npl

This is a persistent b'tard! But, I managed to resolve this issue on a customers Win98 computer in the following way:
 
I installed Ad-Aware 6, SpywareBlaster 3.2, SpyBot S&D 1.3, updated them all and ran the scans/clean outs - but NONE of them removed this little devil permanently! However, they did help me track it down.
 
1) Spyware Blaster alerted me to the sp.html file being the cause of the about:blank homepage alteration. In the 'Tools' section, it showed the file sp.html as having been inserted as a search page - so I renamed all of these to Google using the 'change' function. (this can also be done in the registry, of course). It also alerted me to the location of the sp.html file in the C:\Windows\Temp folder, so I deleted it from there along with another file that seems to have been generated.
 
2) I re-ran SpyBot S&D and, in Advanced Mode, had a look at the BHO's listed in SpyBots 'Tools' section. There were two there - SpyBot's own SDhelper.dll and another unnamed and unidentified BHO. Clicking on it revealed the file and its location: ilcam.dll located in the C:\Windows\System folder. I deleted the BHO object from within SpyBot
 
3) Of course, trying to delete the source file in Windows was impossible as it was 'in use', so I rebooted into DOS and deleted it using the command line.
 
And then the home page was no longer hijacked 3 seconds after you launched Internet Explorer So far, three days later, the customer has not got back to me so I assume that all is still well.
 
 
I guess that this .dll file may come in various names - but having a search for this particular file may be of help. Also, of course, where sp.html and ilcam.dll may be located in a Windows XP environment may be slightly different, ie in the usernametemp folder and in C:\Windows\System32. But in principle, this method should work.
 
Look forward to some feedback on variations of this BHO as it is the most persistent piece of spyware that I have yet encountered. And all the more irritating as it presents itself as advertising for anti-spyware software! Clearly, its origins are from one of the many bogus anti-spyware software programs that have sprung up of late - if anyone finds out which one, please let me know.
 
Christopher
 
 
http://www.red-dragon.net.nz

Argh, are you sure that that Backdoor.agent.ba is removed? I think that is the trouble. I searched it on the net and it says Backdoor.Agent.Ba = About.Blank. - Symantec Virus names = not AVG names. Could it be that Trojan.Bookmarker.Gen = Backdoor.Agent.Ba ? If it is i removed Trojan.Bookmarker.Gen like this: 1) Disable System Restore (Windows XP/Me) (right-click on my computer->properties. click on system restore tab and disable it.) 2) Shut down PC and restart it in safe mode. (i thought there is a F-key to do it but i dont know it so i power him of while windows is starting, then next time u start u have the option to do safe mode, Select Safe Mode without any Networking or CMD Prompt) 3) Scan your PC, and Delete it. Then you must delete some Entry's in the registry, look here: http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.gen.html at my brothers pc i wasn't able to delete it, i formatted his hd and reinstalled xp so.
 
Andicioz-<>-Greetzies

try about:buster
 
http://www.majorgeeks.com/download4289.html

I found a simple grease monkey solution that worked for me:
 
Using HijackThis, find the HTML file that the browser hijack creates on your hard drive. In my case, it was c:\windows\temp\sp.html. Set that file's properties to Hidden, Read-Only and Archive. (I also deleted all the contents of sp.html file in Notepad and re-saved it, just in case.) Then I ran HijackThis again and 'fixed' the remaining search page items. Now the search pages are all set to "about:Navigation Failure."
 
I hijacked the hijacker! It can't find its page!
 
Then I went into IE and manually reset my home page.
 
Search button doesn't work, but I never used it anyway. At least my home page is back for good.
 
Like I said, a grease monkey solution, but it does work.
 
If nothing else works for you (like it did me), you might try it.

I have been having some virus issues which it looks like a lot of other people are having. UNfortunately I can't find the thread I asked the Q originally in because I've lost my bookmarks through stupidity so I hope you don't mind me starting again.
 
I open win2k then open Internet Explorer and get a spyware pop-up window and my homepage changed to newsearch.com - from that point if I run Avast! virus I get a virus alert with VBS:Malware[script]. So I deleted my icon for IE and installed Mozilla Firefox, SpywareBlaster and Flowprotector PLus 2.5 (added to my sygate firewall). These programs are identifying the problem, and Firefox is stopping the re-direct, but I'm concerned that as the integrity of my system has been breached that the security of my information is also in question.
 
So here's what happens when I scan on bootup (it doesn't look healthy and I think I need to edit the registry but can someone confirm and advise before I get drastic?)
 
Avast! finds VBS:Malware[script] in C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html
 
Win32:Startpage-006[Trj] in C:\pagefile.sys & C:\WINNIT\System32\mpco.dll
 
Win32:Trojan-gen{other} in C:\WINNIT\System32\notepad.exe.tmp
 
Which it can't clean, but will allow me to delete.
 
 
(here's the log file .......
15/08/2004 10:27
Scan of all local drives
 
File C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html is infected by VBS:Malware [script] - Deleted
File C:\pagefile.sys is infected by Win32:Startpage-006 [Trj] - Deleted
File C:\WINNT\system32\mpco.dll is infected by Win32:Startpage-006 [Trj] - Repair: Error 42060, Repair: Error 42060, Repair: Error 42060, Deleted
File C:\WINNT\system32\notepad.exe.tmp is infected by Win32:Trojan-gen. {Other} - Repair: Error 42060, Deleted
 
Number of searched folders: 2290
Number of tested files: 43409
Number of infected files: 4
.........................................)
 
Then I Boot win2k and Run Spybot & get
 
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1004336348-606747145-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
 
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
 
which I fix then re-scan and they re-appear immediately without launching or opening anything!
 
As a sneak I have tried to drop an html file into the temp folder and call it sp.html making it read-only as was suggested. I then read about BHODemon 2.0 and installed that - it has located the orphaned registry from the mpco.dll file i deleted in boot and gave this message - "Although this BHO has entries in the Registry, the file itself (C:\WINNT\system32\mpco.dll) cannot be found. Possibly, this is the result of the file geting deleted during an attempt to remove the BHO."
 
So I let BHOD delete it and now only shows up SDHelper.dll which is part of search & destroy.
 
Now when I return to Search & Destroy and scan IT STILL shows me the DSO exploit!! So - time to install HijackThis v.1.97.7 - here's my log
 
Logfile of HijackThis v1.97.7
Scan saved at 11:36:30, on 15/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\My Documents\installers\spybot\hijackthis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [updReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Corel Network monitor worker (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11dae5ef5ca7b3808d17/netzip/RdxIE601.cab
O16 - DPF: {733A5CA7-C0E1-41D7-9506-F4AA354B4500} (ActiveFormX Control) - file://C:\Program Files\Intelore\AnimatedDesktop\advThemes\WorkDir\7476015\Files\ActiveFormProj1.inf
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.4203009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
ANYONE got any suggestions for me? I'm able to browse without the annoying redirect and can now log into hotmail and yahoo mail which it re-directs you out of when the malware is funtioning. But I still don't know if my data is safe.
 
Cheers
 
 

I am now fighting this hijacker as well. I've tried pretty much everything listed here. I've got bhodemon blocking cws as gffee.dll. It always regenerates when trying to remove it. The only thing I haven't been able to try is cwshredder because I can't get to spywareinfo - seems to be blocked. I'm stumped. Any help or suggestions would be greatly appreciated.

I had this very same problem for weeks,I tried just about every
thing surggested here,too no avail.
But I might now have the answer.Try going to http://oz.msie.tv
and click the uninstall link,this will download a very small
program.
After I ran this I ran Adaware and it only found 2 of the original 8 remaining registy entries which it was able to delete.
 
I hope this is of some help.

Wow, that one was a booger. I finally located this site and read through the thread and it made things easier. I messed with my XP system for 3 hours first though.. tried a lot of the things others mentioned above. I ended up booting into safe mode, running adware to remove the sp.html from the registry, and deleted the file. Then I did a search for any dll's created today and found one - mee.dll (random names I see). I deleted it. I then manually searched the registry for, and deleted, all references to the dll and the html file (did not find any more of the html but I wanted to make sure). I did this all while disconnected from the network. I reset my home page and rebooted. I checked the browser and it sayed so I conencted the network and rebooted again. Surfed around a bit and all seems ok. Thanks for the info everyone!!
 
Just a quick note. Someone above mentioned SP2 for XP might stop this. I have SP2, didn't help.
 
 
Chuckster65

Much like the rest of the people who replied here, I have this stupid about:blank Browser Hijacker..
I've had this problem before, or atleast a similar one that gives all the same BS. It was the CoolWeb one or something. However, that problem went away for unknown reasons to me. I personally did nothing to it, someone else may have.
Now this problem is back. Though it's not naming CoolWeb as the culprit.
 
This case however, is more......special. Not only does it hijack my default webpage, that I can live with. But it now also attacks my hotmail account. Or any hotmail account on this machine. I cannot access my email without it hijacking the page. It logs in, loads, you get a glimpse of the inbox and then it goes to the "Search For..." Page with the about:blank in the bar.
 
I've tried several programs including all updated versions of:
Ad-Aware
Spybot - S&D
About Blaster
BHODemon 2.0
 
All of them have failed in removing this problem.. And it's getting really annoying not being able to check emails and worse yet, having family members complain to me about not being able to check emails, even though they all blame me for this problem, when I haven't even been home.
Anyways, if someone can help me, please reply..
 
 
Edit:
 
I fixed my problem...I found a program on a Dutch site that did the trick real good...or atleast I can check email now and its no longer going to about:blank
The program was called SpHjFix...
Bad english but good results... I found it through a google.ca search.
http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html
you can find it here.
[Edited by Wattz on 2004-09-04 17:11:43]
 

This fixed my home page problem, but I still get pop ups, I'm working on this though. And services in admin tools is turned disabled, so it's not the messenger service for.
 
My system is XP, but maybe others with other OS's can get a picture of what to do. I can give in detail what files and how many are created for XP, maybe thios will help one of you experts out in finding the actual execution file re-creating these dll's.
 
Firstly, open this location for testing and keep it open for this procedure. Keep an eye on the Search Bar or Search Page. It should have the location of our "dll" to delete first.
 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 
In my case the file was "kvypu.dll" (this wil be different for everybody I think).
 
res\\Windows\"kvypu.dll"/sp.html#29126 is what's displayed in the registry.
 
The "dll" might or will differ, but the sp.html should be there, as all of you are talking about it. This should be easy to identify because of the "sp.html#?????" so just look for it and the "dll" will be before it.
 
What I done.
I opened it in notepad to see if I could change anything or find what it was pointing to, to see what was executing the re-creation of the "dll's", but couldn't find anything. Then I tried deleting info from that file, to no avail, "can't overwrite" I then just tried deleting the actual "dll" itself,it worked(as I knew it would, because I knew it would re-create into another file or another file would re-creat another random name) while keeping the registry open to see the changes, surely enough,it was re-created to another random set of letters "dsgat.dll", still the same size though, so all future creations will be easy to indentify if it decides to change name again.
 
res\\Windows\"dsgat.dll"/sp.html#29126 is what's displayed in the registry after you refresh it.
 
Now, I opened it and tried to delete stuff from this file also, to my supprise, it let me make changes this time, so I deleted the path where it finds the server just to see if it would let
me change something,(I don't think modifying it's contents is going to make a difference to the re-creation of it) this is just the link that displays when you open your IE homepage that got hijacked (this is also how I identified the rest of the "dll's" that you will see if you read on) whatever link it takes you to, is what I deleted, I'm not sure if it would make a
difference, I just done it out of curiosity, you don't have to do this though, just check to see if the links in there, to identify it as a "dll" to be deleted.
 
Now, after I deleted the link it was pointing to, and then closed that "dsgat.dll",I had a look at the registry again to see if it changed again, it did get re-create to yet another name
 
"rnozl.dll"
 
res\\"rnozl.dll/sp.html#29126" on the fly.
 
Now, I also done the same for this "dll"(deleted the link it was pointing to), but then, no more on the fly changing in the reg string. I think deleting that first "dll", made these two extra
files in one go or they were always on the pc ready to hijack if that file was deleted, and probably didn't have anything to do with me changing the files or deleting the link it was pointing to, it just probably had only this amount of files or that's how many files the programmer told his spyware to create. Anyway, after that, I was to find antoher 2 that I found only by checking with notepad, because these names weren't getting re-created in the registry like the others did. (sneaky)I also found a "log" file that had the exact same content as all the "dll's". This maybe the file that's creating the random "dll's" if they get deleted, or it's the first file I deleted. Again, the name may differ.
 
So, search for these files on your PC. In my case,
 
kvypu.dll 56kB was write protected, but let me delete it.
dsgat.dll 56kB wasen't write protected
rnozl.dll 56kB wasen't write protected
unqob.dll 56kB wasen't write protected
qoocf.dll 56kB wasen't write protected
wqkmpi.log 56kB wasen't write protected
 
Then go to the Search Bar and Search Page in the registry, right click and modify, replace it with the page of your choice, make sure you empty the recycle bin, Homepage linking defeated.
 
Because these files may be named differently on your guys pc's,(which I'm sure they will be)a way to check is by the file size(they may not be the same size as mine either), so check
like this, again go to the Search Bar or Page In the registry there should be the "dll" we're looking for.
 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Bar or Page
 
example: res windows\kvypu,dll/sp.html#29126
 
For me the first one was "kvypu.dll",(might or will differ) simply go to that location, check it's file size, and then order your windows folder to show all files by file size to make them
easier to find. There shouldn't be many legit dll's in ther ethe same size as these, so it should be easy to find them.
 
Then check all the "dll's" that are the same size(random letters and same file size should give it away), check them by opening in notepad just to be sure it's not a legit "dll", and see if the link has anything regarding your homepages forwarding link(the hijackers link), it should be something like
 
http://www.looksearch.com.blahblah - this was mine, it's just the link that your hijacker takes you to when you visit your home page or make a search, this is what we're looking for,
if it is in there, that's a "dll" to delete. Just keep doing that for the rest and delete them all, and stay in the windows folder and keep refreshing and see if anymore get created. And don't forget that log file, it should display the same content as the "dll's", you don't need to use "open with" as it is already a text file, so just click it.
 
If it's the first time you've deleted the "dll" you found at the begining, then it should make a few more on the fly, just keep this registry location open, and it should tell you what the
new "dll's" that get created are, do it one at a time, if it changes, search for it in windows folder, and delete, then check back to the registry to see if it creats another. There should be a total of 6 files, 5 dll's and 1 log file. A couple "dll's" mingt already be on the PC as explained before, so you can either use the registry to identify them, or, you can use the file size and opening in notepad method.
 
If you refresh the registry, it should change to what "dll" is currently in use. And this way we don't have to do guess work or open them up to check in notepad. (maybe I should've said this up earlier, or did I?)
 
Oh heck, I'm tired, give me a break
 
I'll be back to post the popup data and the redirecting issue you still may have, if you ever did have that problem.
Remember, this only fixes the homepage chaniging itself back to the redirected link the spyware has palced on the system. If you have google as your homepage, or you just go to google and you search for something, a few secnods later, it will redirect you, so, this is what I'm trying to solve, if I find anything I'll be back.

Okay, I ran BHODemon, it found, cfe32.exe, it fixed it. I reloaded BHODemon, it then changed that file to cfe32.dll, I then deleted it myself, ran it again, then it changed to ntxj32.dll, at this point, I went back into windows folder to find its file size,I found these files also, keoqrv.dat 91kB, ljxgrj.dat 91kB, psstrh.dat 91kB, xdyroe.dat 91kB.
 
SO that would make this new army as follows,
 
ntxj32.dll 91kB
keoqrv.dat 91kB
ljxgrj.dat 91kB
psstrh.dat 91kB
xdyroe.dat 91kB
 
I'm really not sure what's going on, but I do know that BHODemon, is not picking up the main program that's recreating these files, but, do you see the pattern?
After the main exe was found and fixed, it then on the fly, created 5 different files again, renamed and this time, the extention has changed also.
 
I think I figured it out.
 
Each time we delete what's picked up, it then creates 11 exe files, I'll explain here. Obviously, we can't keep deelting it this way.So do this. When BHO detects a change after it removes the dll, lets say, ntxj32.dll, don't delete or let it fix it, what we have to do is look for the exe files it created
when we deleted the previous dll, so in this case it would be
 
ntar32.exe all these files are 19kB/s in size.
ntan.exe
ntdg.exe
ntjb32.exe
<AND SO ON, SHOULD BE 11 OF THEM>.
 
or any files that have "nt" at the beginning, just like the dll, and that are the same files size, if it's a different file size, don't delete it. But, Im sure there wont be.
 
Now this makes it easier, because, not only can we find these files by it's file size being the same, but now, we also know that it creates exe files with the same 2 letters
as the dll, and these exe files are also the same file size, just not the same as the previous post and previous files I deleted.(This guy is smart)So either, order the windows folder to file size, or by name. And find them that way.
 
I think I'm getting closer to what it's actually doing, and how to catch it before it makes these files again in another name, size and extention. But now, atleast we can identify it easier as this is the pattern.
 
Once you delete the dll BHO picks up, it wil then make another dll in another name and another size as the previous dll we delete, with 11 exe files with the first two letters of that dll it creates.
 
It creates 11 exe files, and lets any spyware detector find the dll, because it doesn't matter if you delete it, the programmer that made this knows, that these arent the files we gotta delete. So if I have a theory on this, if I delete these 11 exe files before I delete the dll, then I think it wont occure, if it does, then it is another program that hes got as backup incase someone like me found the pattern, if so, I think I'm
(or we're) shit outta luck until some expert can figure this pattern out and find the main program to fix. Even though others have fixed this, there are others that haven't, even after using BHOdemon and everything else possible.
 
Be back if I see something new.

I think I got it.
 
Remember them 11 exe's I said it creates? well, it doesnt create them first if we delete the dll, it makes dat's, if we delete the dat's it makes exe's, I believe this is to through us off course. But 11x19=190kB, if you remember I have left the other exe files that the other dll created on my pc also
(because I wasent sure to delete them), if we go back to the top, we'll see that the total file size of them 4 dat's and 1 dll = 455kB>
The total for those 11 exe's =11x19=190, but because I never deleted the other exe's that were made from the previous dll that was deleted, it will be two sets of exes to each dll now
making it total 380kB. I think we're looking for a file that is 75 kB/s in size, I think this is the main program that's the cause of all the re-creations. I think that if we delete these
files, it makes the same files, but with dfferent sizes, names and extentions.
 
Ill be back to post more if I'm right