Removing About:Blank

Removing About:Blank

The following programs are all legitimate and safe to use. So, if they are mentioned in any solution, then feel confident about using them:

Adaware

Spybot
Spyware Blaster
SmitRem http://noahdfear.geekstogo.com/ (removal tool for Spyaxe, SpySheriff, etc)
HijackThis http://www.merijn.org/files/hijackthis.zip (essential in finding spyware and trojans)
Ewido http://www.ewido.net/en/download/ (recommended anti-malware/spyware program)
Killbox http://killbox.clickhereformoreinfo.com/ (removes files not able to be deleted)

There are at least six suggested solutions (two are for Win 98) given in this document, plus some hints and tips and comments on which “free” programs are reliable. I suggest you read all the solutions for Win XP/2000 before attempting removal.

Basically, the Trojan works by installing one or several files in your Windows folder. The files are “.dll” types (which means that the last three letters of their name is that). In addition, the Trojan installs lots of entries into the Registry and these cause the offending files to be re-created almost as fast as you delete them.

Solutions to about:blank - new advice

Having spent the last 10 hours trying to rid my system of the about.blank problem, I wanted to make a posting for two reasons:

1). The latest version of the tactic seems to have overcome some of the methods that were used to find/fix the problem as it manifested itself previously. In particular there is no longer a section of text in the source of the html page that is of the form "res://", so the technique previously used to un-encode that information is no longer operable (as per Solution 1).

If you look at the registry entries that “HijackThis” identifies, you can find a URL for each of the three bogus entries, and that does yield three downloadable files with names that suggest that they can be used to uninstall the problem. All three files, are really the same, and, of course, they do not, in fact, uninstall anything.

Nonetheless, the general trouble-shooting techniques listed at this very helpful site are sound. Finding the bogus dll’s and registry entries is a necessary step to successful eradication.

2). The various 'sponsored' adware/spyware removal tools that you get from a Search may help you find problems related to this one, but removal triggers the need to go from 'free' to 'paid'. Avast seems to have a wonderful business practice in segmenting the marketplace between 'home' and 'business'. Unfortunately, I have W2K Server installed and their installation program refuses to deal with my variant of the OS. Perhaps they make the reasonable assumption that W2K is not usually found in a home -- even a home used as an office by a contractor. With all the layoff activity in silicon valley, however, one of the things that frequently happens is that a company going through a lay off or a shutdown sells off its computer assets. That is why there are quite a few 'homes' with W2K Server installed. Perhaps Avast will reconsider the implementation of its policy.

So, the point of this item is simply to relay the fact that even if you are not running XP, it is possible to finally remove all the erroneous 'stuff' with a combination of 'regedit', command line searching in 'safe mode' and the helpful knowledge posted at this site.

As one hint, once you find the 'ID' of the offending software -- one of those imposing strings of random digits that identify 'stuff' in the registry, you can select the string [including the curly brackets] and do a search for it throughout the registry. I think one of the keys to the way that the offending software has managed to become so difficult to eradicate is that it attaches as a 'Search Assistant', but you don't find any helpful 'plain text' showing that -- you will get a 'hit' by searching on the 'ID', so you will know to delete that key-value entry.

###############################

Solution 1. Here is one recommend solution:

· Open your browser so you'll will see (automatically) the startpage "about:blank"

· Now go UP TOP to the "view source" option of your browser. It will be right on top. Look for a string that looks like this: res://%44%3a%5c%57%49%4e%44%4f%(etc,), highlight and right click and copy, save in word, or Notepad.

· Make a copy of this complete string (control c) and go to: http://www.simplelogic.com/Developer/URLDecode.asp

· Paste the string in here and press on "clean data".

· Now a ***.dll file appears... above, now you see what it is named and what file it is in.

· Go to the directory where it's in (windows/system32) and activate "show hidden files" in this directory.

· Close all applications. Removing the dll file is not possible, but you can rename it, so do that!

· Restart, and ta-daa!

Solution 2. Alternate to about: blank

I attempted many solutions that turned out to be temporary. But now, I'm free at last, thank God I'm free at last from the horror.

The hidden culprit (using Windows XP Pro) that keeps re-infecting the machine is the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You need to remove it. Some folks say to change the registry key value to random characters using the free “reglite” utility (which may work as well) but I removed the key. The value of the key is hidden and causes Windows to load the trojan DLL every time any application is run.

The way to remove the registry key is not obvious. If you just delete it from regedit, the trojan DLL will undo your handy work. Here's what worked for me:

1. Rename the HKEY_L_M\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

2. delete the AppInit_DLLs key under the Windows2 folder.

3. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run your favorite spyware/adware utilities such as Adaware 6, CWShredder, and “HijackThis”. I also run Norton Utilities, which helps if you don't trust your instincts for repairing registry files. Remember, I'm not a geek and just want to use computers & software rather than reinvent them from the ground up.

4. Reboot your machine. Your computer should be free at last.

Solution 3. to about: blank

From cleaning several systems it appears that the names of the garbage .dll files are ALWAYS different, so there is no such thing as a "common" name and there is no point to search for it based on somebody else's findings.

Everything must be done manually (takes about 5 mins total).

The thing is that the .dll which is "responsible" for creating .tmp, .html, registry entries, etc. cannot be deleted or moved without "removing" it from the memory (same thing goes for the "Spybot" programs, they are not able to do it, they do clean the registry and such, but files remain and restore everything after "cleaning"). So, the only thing that can be done is to remove it from the registry start-up "entries" so that next time the OS boots up, it will not "read" the file into the memory as a necessary system process.

In order to do that, look for any .dll files created at the time frame of "infection" in the system32 (or winnt, or windows) and search for them in registry from the beginning renaming them each time it is found by adding couple of "00" at the beginning of the filename (or end, or something you like, but it nice to be able to search for them after wards and delete the keys as well); (for example I search for "ghm" and "ghm.dll" can be renamed to "00ghm.dll"). There can be more than 10 entries (as the hacking programmers are smart people as we are), so just keep on going until ALL entries/keys/values are renamed (not deleted). Reboot at once, after the reboot, attempt to delete those .dll files; if they are possible to delete, your PC is "cured" - till next time. -:)

You may delete "HKEY_USERS\blahblahblah_NUMBERS\Software\Microsoft\Internet Explorer\"Main" key to start "fresh" and change all the settings from default to whichever you like. And you can run spybot programs to prevent (some of) the "intrusions" in the future.

PS: I could be more detailed, but it is supposed to be a little hint on how to fight the software with naked hands ;)

PSS: Forgot to mention the “Temp” directory must be cleared after reboot as well. And if it is not helping, start over with a different .dll name (add another 5 minuten). -:)

Solution 4. to about: blank (Win 98)

Here is how to remove about:blank in Windows 98:

This technique uses a scalpel, not a machete. No essential system files will be accidentally deleted. The task is to find the hidden file that regenerates the CWS infection after CWS Shredder, Adaware, Spybot, and ““HijackThis”” have removed the visible symptoms.

1. Make sure that Windows Explorer is set to display all hidden and system files: go to Tools > Folder Options > View and click the button for Show All Files.

2. Run Adaware. Make sure you instruct it to scan your \Windows, \Program Files, and \My Documents folders. Then run Shredder. Remove every suspicious thing they find.

3. Next take your computer offline — unplug your modem, whatever. No Web connection.

4. Run the Windows utility "System Information." It's on your Start Menu under System Tools, or just click Start>Run and on the command line type msinfo32.

5. Expand the Software Environment section, and select System Hooks.

6. If you are infected with CWSearchx, you will see a suspicious file there. Hook type "Windows Procedure." File name will be a nonsense string of characters, ending in .dll. The dll Path will be \Windows\System. WRITE THE NAME OF THIS FILE DOWN.

7. Close MS Info. Open Windows Explorer, go to \Windows\System and look for this file. IF YOU CAN SEE IT, IT'S THE WRONG FILE. But if you can't see it, this is the one.

8. Shut down, and reboot into Command Prompt Safe Mode. On the C:\ command line, type cd\Windows\System.

9. Once inside \Windows\System, type dir, a space, and the name of the file you wrote down. (like this: dir ghyth.dll). When the file shows up, take a look at its size. It will probably be 57,344 bytes.

10. Type ren, a space, and the name of the file you wrote down, and then a new name for the file. (like this: ren ghyth.dll ghyth.bob). Make sure you change the extension of the file from .dll to something else. Do not delete the file.

11. Restart your computer in Windows Safe Mode. Windows may complain that it can't find the .dll, but click OK and keep going.

12. Once in Safe Mode, run Adaware again. This time it will find the renamed file in your System folder and will identify it as CWS. If it does, have Adaware delete it.

13. Run Shredder, Spybot, and ““HijackThis”” for good measure. Clean house.

14. Reconnect your Internet connection and restart Windows normally. Reset your IE home page to whatever you want. You're done.

Solution 5. to about: blank (Win 98)

For Win98 user, this is how I did. For the moment I can be say free from the about:blank.

Restart you computer and don't open the internet explorer.

1) I go to registry and search for sp.html. (Start>Run>type "Regedit")

2) Try to look for the .dll just before the sp.html (ctrl+f)

eg: c:/windows/system/tllib.dll\sp.html#28965

Don't delete it as it is no use to do it as each time you open IE, this key will be restored.

3) Go to Start>Find/Files or Folder, type in the filename.

4) Open it using Notepad. Save it as a tllib.Bob.txt (for safety purpose).

5) If you can see the Java script, delete all the Java script ONLY. If not mistaken it will be after the . Save it as tllib.dll . Then the Home Search startup page gone.

6) Download DllCompare.exe (search it from internet), Run it. Click Run Locate.com . Then click Compare. You will see the .dll files not belongs to Windows will be listed at below window. My scan is apiyt32.dll and tllib.dll.

7) Open the other file using step (3) and step (4). (Remember to save as different name for safety purpose)

8) I think your computer will prompt you that it is too large to open with Notepad and recommended you to open it with Wordpad. Click yes.

9) You will see code that you will not able to read. Type anything (eg: dsagdsgdfgfdsg) at the begining and add in each singer line with "sagftsvsafd" (or anything) to mess up the code. Save it as apiyt32.dll.

10) Goto registry again and search the other file (apiyt32.dll). Press F3 to find next until you see it stop at "Doc Find Spec MRU" folder under "Explorer" folder. I am suspecting this is what the spyware reinstall itself each time you deleted the their .dll files and deleted or renamed it key in registry.

11) Try to search every single name at Data column using Start>Fine>File and Folder. When you see the search result appear to be in Temporary Internet File folder, delete the whole file. (You will not able to see this folder using normal explorer.

12) Modify all Data by add in something in front (eg: oxmzo9an to BOBoxmzo9an). Just right click the Name (eg: a) and select modify.

13) Empty the recycle bin and restart you computer.

Hope my way works for some of you who unable to use Rick method (because unable to see the res://%43%3a%5c....)

Solution 6. to about: blank (professional)

I am a professional technician who disinfects this virus (which is what I consider this) about 4-5 times a week. Here is what I have found:

I agree with the person who said forget about the normal scanners. Spybot, Adaware, Spy Sweeper, any commercial Antivirus program. They are powerless against this insidious beast. There are many variants of this so there is no one size fits all: