close

Privacy guaranteed - Your email is not shared with anyone.

About.Blank ?

Discussion in 'Tech Talk' started by Nolyn, Jan 26, 2005.

  1. Nolyn

    Nolyn

    Messages:
    364
    Likes Received:
    0
    Joined:
    Dec 30, 2002
    I've got some spyware type gizmo that keeps replacing my start page with a pseudo search engine results page entitled about.blank. This also throws up a pop-up ad trying to persuade me to buy some software to fix the problem it created.

    I run the latest version of Adaware, but it makes no difference. I also seen in another thread that MS have a product that will fix this anoyance. However, when I go to the MS site the about.blank page pops up and will not let me access MS site. I'm running on ME, so even if I did get on to MS the program would not run on my system.

    Anyone know how to get rig of this thing by accessing/deleting files on my computer ?
     
  2. NetNinja

    NetNinja Always Faithful

    Messages:
    967
    Likes Received:
    0
    Joined:
    Oct 23, 2001
    Location:
    HotLanta, GA
    Oh boy! If you can't access the internet to download any tools you are in trouble unless you can get a buddy to download some tools for you and burn them to a CDrom and install them.

    Did you read the sticky on the top of this forum?

    Adaware is not the only tool to use.
     

  3. pyblood

    pyblood

    Messages:
    499
    Likes Received:
    0
    Joined:
    Dec 22, 2003
    Location:
    Mississippi
    Go to add/remove programs, and remove any programs that you don't recognize.
    Go to start - run - msconfig and uncheck and unrecognized programs that are running.
    Make sure that your spyware program is up to date with the latest defs. Run again. If you can get to downloads.com get spybot, update it and run it too.
     
  4. Nolyn

    Nolyn

    Messages:
    364
    Likes Received:
    0
    Joined:
    Dec 30, 2002
    This thing is getting worse, pops up all the time now.

    I found some solutions on the internet - on the Ad-Aware site forum for one. These require starting the computer in safe mode, but it won't allow me to do that either.

    If I find a better solution I'll post it, in the meantime, here is the one I found
    -----------------
     
  5. pyblood

    pyblood

    Messages:
    499
    Likes Received:
    0
    Joined:
    Dec 22, 2003
    Location:
    Mississippi
    Make sure that your adaware is it's updates before running in safe mode, because you can't update in safe mode. Safe mode is the best way to remove spyware. Also, make sure install spybot and update it as well. Run adaware, and then run spybot. You should be pretty clean after that.
     
  6. Washington D.C.

    Washington D.C.

    Messages:
    5,218
    Likes Received:
    1
    Joined:
    Oct 13, 2003
    Location:
    Woestyn Kusdorp
  7. Washington D.C.

    Washington D.C.

    Messages:
    5,218
    Likes Received:
    1
    Joined:
    Oct 13, 2003
    Location:
    Woestyn Kusdorp
  8. Nolyn

    Nolyn

    Messages:
    364
    Likes Received:
    0
    Joined:
    Dec 30, 2002
    Here is what I found on the Ad-Aware web site forums. Meant to post earlier, but it didn't work.

    I am unable to start in safe mode - more trouble.

    If I find out who created this they will be worm food !
    ===========================================================
    First, download About:Buster from here. Unzip (extract) the zip file....


    Make sure you are connected to the internet still.....

    At the first prompt, hit OK. Click 'Update'. A new screen should popup. On that screen hit 'Check for Updates'. If an update is found, then click 'Download Updates' and then once it has done, exit the program. If it doesn't find any update it will automatically tell you and exit. Either way, the program needs to be exited.

    Now, boot into safe mode. Instructions on how to do so are at :

    http://www.computerhope.com/issues/chsafe.htm

    Once in safe mode, Run HijackThis again, close all open windows, put a checkmark next to the following, and press "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gfhrn.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {C92DA44F-9FD6-9036-5C2C-BBF7930B7BA8} - C:\WINDOWS\system32\atlsj.dll
    O4 - HKCU\..\Run: [Ndxbii] C:\WINDOWS\System32\d?dplay.exe
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: (HKLM)
    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
    O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\sdksd.exe

    Still in safe mode;

    Delete these files:

    C:\WINDOWS\sdksd.exe
    C:\WINDOWS\system32\gfhrn.dll

    Now, still in safe mode, launch AboutBuster(.exe) you had earlier downloaded.

    At the first prompt, hit OK. Now, to scan....Hit 'start' and then 'Ok'. The program should start scanning. (Note: if you receive any prompts about 'terminating explorer.exe', please let it do so - answer YES). Leave it scanning and then restart the computer.

    You'll be back into normal 'Windows' mode. Re-run HijackThis and post a new logfile from it.
     
  9. modgun

    modgun CLM

    Messages:
    245
    Likes Received:
    0
    Joined:
    Nov 15, 2003
    Location:
    Where you live
    This is a bad one, Ive worked on it a few times lately. This is not a simple remove. You need to download and run a program called hijackthis. Remove the offending things (if you do not understand the scan report, post it somewhere that people can tell you what to remove) then there is more to it. You need to clean out certain system folders, like system32, I dont remember all the details.

    Start with hijackthis.
     
  10. Sgt. Schultz

    Sgt. Schultz Annoying Member

    Messages:
    2,196
    Likes Received:
    8
    Joined:
    May 21, 2004
    Location:
    West Columbia, South Carolina
    If you are running Windows ME you must disable System Restore completely because the malware will be in the Restore Points. HijackThis is an excellent tool to discover and disable hijackers. A combination of HijackThis and about:Buster works well in removing the about:Blank homepage hijacker.
     
  11. Nolyn

    Nolyn

    Messages:
    364
    Likes Received:
    0
    Joined:
    Dec 30, 2002
    thanks to all for the input
     
  12. Nolyn

    Nolyn

    Messages:
    364
    Likes Received:
    0
    Joined:
    Dec 30, 2002
    It seems like everytime I access one of these spymare tool sites the proram on my computer hijacks the browser and takes me to 'spyware doctor' page, or a phoney search engine results page that takes me to 'Stopzilla'

    Looks like whoever wrote this program is affiliated with Stopzilla and/or 'spyware doctor'

    Looks like a job for our friends at the FBI
     
  13. Washington D.C.

    Washington D.C.

    Messages:
    5,218
    Likes Received:
    1
    Joined:
    Oct 13, 2003
    Location:
    Woestyn Kusdorp
  14. podwich

    podwich

    Messages:
    4,626
    Likes Received:
    292
    Joined:
    Sep 7, 2000
    Location:
    MI
    Did you ever get it fixed? My brother got the same thing on his computer and has yet to figure it out.
     
  15. Nolyn

    Nolyn

    Messages:
    364
    Likes Received:
    0
    Joined:
    Dec 30, 2002
    No solution here yet.

    This thing has built in protection and won't let me access sites that may have a solution. It also won't allow me to start my computer in safe mode.

    I reported it to the FBI Internet Fraud department. I recommend that everyone report it, then they will track down who is responsible. If you click on the link that pops up telling you that you have an infection it takes you to Stopzilla.com, so I figure that these people must be the people behind it.

    All I can do is wait for AVG, Ad-Aware, or Spybot to come up with a solution. If it gets worse before they find a fix I will just have to rebuild the computer HD from scratch.

    If anyone knows more please let me know.
     
  16. HandyMan Hugh

    HandyMan Hugh NRA Life Member

    Messages:
    3,324
    Likes Received:
    418
    Joined:
    May 17, 2002
    Location:
    Hallstead, PA
    There is hope! I had the same "About Blank" infestation in my computer. A friend of mine who works in IT at a credit union was able to install a couple of programs that finally ferreted out the offending software. The browser hijacker apparently has some intelligence to it and was adapting to some of my tactics to get around it. It was getting quite agressive. SpyBot is one of the routines my friend installed, along with AVG (an anti-virus program), and Spyware Blaster. I already had a Microsoft anti spyware program (in Beta Test) and Spyware Vanisher. Between all of these we finally managed to rid my machine of its problems.

    I'd like to be able to spend 10 minutes alone in a room with the writer of the "About Blank" routines. He should be handcuffed, and I should have a baseball bat!:soap: :soap: :soap:
     
  17. modgun

    modgun CLM

    Messages:
    245
    Likes Received:
    0
    Joined:
    Nov 15, 2003
    Location:
    Where you live
    Did you run "hijackthis"?
     
  18. podwich

    podwich

    Messages:
    4,626
    Likes Received:
    292
    Joined:
    Sep 7, 2000
    Location:
    MI
    I talked my brother through some stuff over the phone. I had him run NAV, AdAware, SpyBot S&D, CWShredder and HijackThis! (new defs on everything). I ran the programs in safe mode after being unsuccessful in normal mode.

    NAV found nothing, AdAware found stuff related to CWS (which we then had it delete), CWShredder didn't fix it, and Spybot was also unsuccessful.

    Interestingly, the first time starting IE after trying to remove it, IE would start normally. The second time it'd be back to the about:blank.

    We haven't figured it out yet. It's likely he'll end up erasing everything and starting over.

    HijackThis!'s log is attached.