about:blank homepage HIJACK!

[mrp04]

It keeps coming back, i delete it and clear everything, run spyware checks and clear my cookies and temp internet files. After 10 minutes, ITS BACK! It takes over the about:blank and turns it into some crappy search engine and keeps setting the homepage to about:blank. And the CRAPPY search engine pop's up dumb windows saying SPYWARE DETECTED BUY THIS DUMB PIECE OF **** TO REMOVE! and you just know it is them who are making the damn ads pop-up!

[Judge Verbose]

I had this problem once before. It is normally spyware or some plugin you installed(or your isp install software). Check if you downloaded any online game plugins recently.

[Rob2687]

disable system restore and run spybot or adaware

[swordsman74]

A quick web search on Google for "about:blank" and "spam" found this:

http://www.experts-exchange.com/Operating_...Q_20958699.html

You should be able to find your solution somewhere in there...

Good luck!

[Biohazord]

cwshredder google it. Fast and easy way to get rid of broswer highjacking.

[zhangm Supervisor]

You can go download Hijack This (Google for it), and post your log here. Someone will be along to tell you what to remove.

[mrp04]

1) Nope i didnt install anything

2) Already Did

3) You have to pay for Experts-Exchange

4) Didnt find anything

5) Used it, found some stuff, still is here

[Biohazord]

1) Nope i didnt install anything

2) Already Did

3) You have to pay for Experts-Exchange

4) Didnt find anything

5) Used it, found some stuff, still is here

http://www.spywareinfo.com/~merijn/cwschronicles.html

Scroll to the bottom of the page and you will find it.

[Primalgoo]

OK guys.. I work with computers all day professionally... WE got in a @$$load of computers today with this problem and I can tell you what it is... But I'm still workin on a way to REMOVE it permanently.. You've got one of the Downloader.*** viruses... Now I could remove it with AVG EVERY F'N time, but as soon as you restart the computer it reinstalles itself silently... So as of right now I know of no way to remove it ... That's even with the newest virus definitions... I'll try to keep you guys updated if I figure it out... But I was wrestling with it at work all day... heheh IT's a total BIACH !!!

- Primalgoo :alien:

[zhangm Supervisor]

5) Used it, found some stuff, still is here

Mind if you actually posted the log here?

[mrp04]

Dont have it anymore :no:(the log). But i think i got rid of it, there were some files in the system32 folder that i deleted, then i ran spybot, then i ran ad-aware, then i cleared my cookies and temp internet files, then in this one registry editor i deleted the thing that has oldstartpage. i think it is gone ill tell if it comes back! :angry:

[LOC Veteran]

This is a new variant, extremely hard to get rid of. I don't think many people have had success in getting rid of it yet, spyware forums are buzzing with this one.

[em_te]

3) You have to pay for Experts-Exchange

Pay? Maybe only to remove ads and to access search facilities. You can still browse for free. You can see all the suggested answers near the bottom of that page. To see the official solution you have to sign up which is free.

[Hawkeye]

Ok. I actually had this nasty bugger for about 2 weeks abefore I finally, finally removed it permanently. If you look on that Merijn.org page with the various CoolWebSearch variants, you in all likelihood have the toughest and most annoying one of them all, #39, RealYellowPage. That is the same one that I had, and it is the biggest pain the rear to remove! CWShredder does a fine job of removing the secondary DLL file responsible for it, but it will not remove the primary one.

Here is what your case probably looks like:

-your homepage is about:blank

-instead of being the real about:blank, you actually have a search-type thing that links to searchx.cc

-after scanning with Ad-Aware, Spybot, HiJack This, and CWShredder, it seems to have been removed

-after some randomly determined period of time, your IE homepage will once again be reset to about:blank, and the problem will come back once again to haunt you

For now, I'm not going to give you full instuctions on how to remove it, because you may not need them. In your last post, you say that it is gone. If it stays gone for over 24 hours, I can say that you are rid of this nasty trojan.

If it comes back, I will explain to you how to remove it, step-by-step, and you should also print out the instructions, as you will need to have IE closed for it.

[acedriver]

If it comes back, I will explain to you how to remove it, step-by-step, and you should also print out the instructions, as you will need to have IE closed for it.

Just post it here.. for the rest of us.. for future reference.. :yes:

[mrp04]

It is gone, i keep checking my System32 folder and nothing is coming. Gota do everything at once without even opening and web browser during doing everything.

1) Remove new DLL's in your System32 folder (dated to when problem started)

2) Run Ad-Aware

3) Run Spy-Bot

4) in the registry delete OldStartPage and StartPage

5) Run HijackThis and delete everything suspecious

I think it is gone now been over 12 hours and no homepage change or dumb search thing!

[mrp04]

It is BACK! post what to do to get rid of please

[CoolCatBad]

What is the name of the Search page you are getting as startpage?

Also have a look here-

http://www.softpedia.com/public/cat/1/1-110.shtml

[Etc.]

Stop using IE, that's how to get rid of it. lol.

[GrandMaster]

2 words: bazooka scanner

[Hummer]

yeah that's the search page that keeps coming back? really each one is all different.

[mrp04]

I use windows xp (for the person who gave me the download link to a remover thing). The search is CWSearch, I know, I know Cool Web Search. Do those people even get money, or do they just like to annoy people!?!? :angry: :angry: :angry: :angry: :angry: :angry: :angry:

[skiiper]

I had this problem for a while before. Its called CoolWebSearch searchx (CWS.searchx) head over to this site and read the instructions in response number 6. i did what it said, and it worked. let me know what happens!http://www.computing.net/security/wwwboard/forum/11527.html

[Hawkeye]

mrp04, you should be able to follow ice87's instructions from his last post, but the following will also work (I know because it worked for myself and two others with this problem).

Print out the following instructions to make it easier to walk through them.

You will need several things to get rid of it:

1. a Registry editor, such as REGEDIT or Registrar Lite, which are both mentioned below

2. CWShredder, which can be found on the site posted earlier in this thread

3. HiJack This

4. your Windows XP CD

5. Ad-Aware (optional)

I hope you still have your Windows XP CD available somewhere, as you will need it for this procedure. If not, you will need to access the Recovery Console either via floppy disks or by installing it.

Anyway, here we go.

Now, you can do this using the regular Windows Registry Editor (REGEDIT), but I believe it will be easier to do this using a freeware program called Registrar Lite, which you can download from its official website.

Navigate to the following location in your Registry (In Registrar Lite, you can just copy it into the Address Bar and hit Enter):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Locate the key named AppInit_DLLs. Now, here is why I suggest Registrar Lite over REGEDIT. REGEDIT may or may not display the proper information in it when you open this key; Registrar Lite will display the proper information. If you have the CoolWebSearch trojan (and we have determined that you do already), you will see the address to a DLL file that you will be unable to locate using any method within Windows, but it does exist. This is the primary DLL file that you must remove in order to be rid of this nasty trojan, and it is this DLL file which randomly recreates the secondary DLL file that is actually identified under a different filename with each recurrence and each subsequent removal. Once you remove the primary DLL, you can safely remove everything else associated with it once and for all.

Now, write down the path of the DLL file that is specified in the AppInit_DLLs key. There may be periods in between the characters which can be ignored (except the period separating the filename and extension of the DLL file). This is the DLL file which you must remove using the command line in Recovery Console.

Now, you may run CWShredder followed by HiJack This and fix the lines that point to the DLL file with the strange filename. After this, reboot your computer with the Windows XP CD in your CD drive.

Boot from the CD. When you reach the Welcome to Windows Setup screen, just press the "R" key to access the Recovery Console. Choose which Windows installation you want (probably the first one), and then type in your Administrator password (if you have one).

You will then be given a command prompt. Now manually navigate to the folder with the DLL file that you wrote down earlier (the one found in the AppInit_DLLs key). It was probably in your System32 directory, so you can get there by typing cd c:\windows\system32 at the prompt. You can verify the DLL file's existence using the DIR command if you wish, but it is unnecessary.

Here is the most important part. The file is both a system file and a hidden file, so you must remove these attributes from the file. Type in attrib -s -h filename.dll, where "filename" is the name of the DLL file, which is different on each system. This will remove the hidden and system attributes from the file, which will now allow you to delete the file. Type in del filename.dll, where "filename" is the same name you typed in for the previous command above.

The primary filename is now deleted, and the biggest culprit in the whole mess with this trojan is now gone. You may reboot your computer back into Windows.

I recommend running a scan with Ad-Aware to remove an last remnants of the CoolWebSearch trojan, if there are any left, followed by another scan with CWShredder and HiJack This.

Having followed all the instructions in this post, you will be permanently rid of the CoolWebSearch trojan. You may reset your homepage in Internet Explorer to whatever you like now. It will stay that way.

[rock8628]

start -> run -> regedit

HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/INTERNET EXPLORER/MAIN

they keys u gotta edit r there.... they will say about:blank or sp.html

whereever the about:blank is change it to the address u want

whereever the sp.html is delete it

[rock8628]

start -> run -> regedit

HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/INTERNET EXPLORER/MAIN

they keys u gotta edit r there.... they will say about:blank or sp.html

whereever the about:blank is change it to the address u want

whereever the sp.html is delete it

thats wah i did today n its workin soo :p