asked on

CoolWebSearch / about:blank

Hi there. I'm running Windows XP Pro and have the "CoolWebSearch / about:blank" problem.
I was able to follow the 2nd part of the instructions pasted below from a previous post, but not the 1st part involving Reglite.exe. (I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll".)
Please help me with this. I urgently need my machine and my browser is still hijacked. Thanks. - Julius
Here's the pasted previous post...

-------------------------------------------------------------------------------------------------------------------------------------

Accepted Answer from knoxj81
Date: 01/11/2005 10:13AM PST
Grade: B
Accepted Answer

FYI/: About:Blank can't be detected by hijack this due to the hidden feature it uses to bypass detection. So if M$ tool doesn't do the trick, be sure to:

1) turn off system restore (xp users)

2) Follow these directions: ( http://www.securiteam.com/securityreviews/5RP0L0UD5U.html )

Programs Needed:
* Reglite.exe

* Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)

* HiJackThis.exe

Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"

1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.

2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32

After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.

3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"

4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".

* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.

Finally delete the two .dlls ("hidden.dll" and "obvious.dll")

That's it! You should be running again
-----------------------------------------------------

Good Luck,

Jordan

blue_zee

Try AboutBuster:

http://www.downloads.subratam.org/AboutBuster.zip

Download, unzip, UPDATE and run at least twice.

Zee

jaerob

ASKER

Hi Zee. I tried this, but I still have the problem. Thanks anyway though. :)

Tolomir

Have you tried the lastest version aboutbuster 4?

http://www.besttechie.net/forums/index.php?showtopic=1488

With Tutorial

Tolomir

Tolomir

And this is for coolwebserach:

http://www.intermute.com/products/cwshredder.html

CWShredder™ finds and destroys traces of CoolWebSearch. CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.

Tolomir

blue_zee

>>I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll"<<

Download RegistrarLite and use it for that:

http://www.resplendence.com/download/reglite.exe

Website for that tool:

http://www.resplendence.com/reglite

Zee

jaerob

ASKER

Hi Tolomir. Yes I did try aboutBuster4 and the latest version of CWShredder. aboutBuster4 was unable to correct the problem. CWShredder identified the threat as CWS.HomeSearch, but was unable to get rid of it. By the way. Forgive me for posting two questions on the same issue. (https://www.experts-exchange.com/questions/21408572/Security-Cool-Web-Search-and-about-blank-problem.html) I thought that I may have been too confusing the first time. I'll be glad to delete one of these if you like. Thanks!

Hi blue_zee. I'll try to be clearer this time. When I used reglite.exe and drilled down to the directory in the post above, I did not see "AppInit_DLLs" which was referred to in the post: "Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name." Thanks!

blue_zee

Here is another website with removal instructions:

http://www.pchell.com/support/aboutblank.shtml

But I believe you're doing something wrong along the way not to sse those registry entries.

Maybe worth a careful retry.

Zee

ASKER CERTIFIED SOLUTION

blue_zee

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jaerob

ASKER

Hi blue_zee. AdwareAway was unable to correct it. I tried Reglite again but still could not find "AppInit_DLLs" in the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" directory. Since I can't find this entry, i can't follow the procedure on the PCHell site page you recommended. Here are the entries I do see at that location:
1. (default)
2. DeviceNotSelectedTimeout
3. GDIProcessHandleQuota
4. Spooler
5. swapdisk
6. TransmissionRetryTimeout
7. USERProcessHandleQuota

I did a search for "AppInit_DLLs" in RegLite and found it in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows. Something tells me this is altogether different though. Am I missing something? What next?

blue_zee

Well, you may be facing a reinstall of Windows.

Let's wait and see if someone else has new ideas.

At the moment, I haven't.

Back as soon as I do some more work on this.

Zee

jaerob

ASKER

Cool... By the way...

Here's the latest:
I've tried CWShredder and it identified the problem as: CWS.HomeSearch but was unable to fix it.
SpyBot S&D removed some lesser thrats, but not the primary one. --> ("about:blank" in the IE address bar and a Quick Web Search form with a fake IE logo)

AdAware SE Personal also removed some lesser threats, but not the primary one.

I downloaded the latest version of HiJackThis, ran a scan, removed all the "nasty" threats, but the primary issue returned.

Here's the URL to my latest HijackThis analysis file:
http://www.hijackthis.de/logfiles/7bb3a8bae29602e19f5f638830ef93a5.html

Thanks so much for your help thus far. :)

blue_zee

Download KillBox:

http://www.scancomplete.com/download/killbox.php

Unzip it.

Restart in Safe Mode, turn off System Restore:

http://www.pchell.com/virus/systemrestore.shtml

and run HJT again.

Besides the recurring entries that should be fixed, fix these along:

O4 - HKLM\..\Run: [addzd32.exe] C:\WINDOWS\addzd32.exe
O4 - HKLM\..\RunOnce: [crhr.exe] C:\WINDOWS\crhr.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ieee.exe (file missing)

Immediately after fixing, launch KillBox, select "Delete on reboot", and in the "Full Path of File to Delete" place:

C:\WINDOWS\addzd32.exe (and click the red circle with the white X), and now place
C:\WINDOWS\crhr.exe (and click the red circle with the white X)

Close KillBox.

Empty your recycle bin, cleanup your temp folders and IE cache.

Restart your PC and test.

Post back the results.

Zee

blue_zee

Oops..

Correction, first cleanup then empty recycle bin.

Zee

blue_zee

;-)

Great!

Thanks.

Zee

blue_zee

jaerob,

Could you please do me (us?) a small favour?

Do a new scan with HJT and post a LINK to your saved analysis.

Just wondering how it will show up after that successful cleanup.

Thanks again!

Zee