jaerob
asked on
CoolWebSearch / about:blank
Hi there. I'm running Windows XP Pro and have the "CoolWebSearch / about:blank" problem.
I was able to follow the 2nd part of the instructions pasted below from a previous post, but not the 1st part involving Reglite.exe. (I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll".)
Please help me with this. I urgently need my machine and my browser is still hijacked. Thanks. - Julius
Here's the pasted previous post...
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -------
Accepted Answer from knoxj81
Date: 01/11/2005 10:13AM PST
Grade: B
Accepted Answer
FYI/: About:Blank can't be detected by hijack this due to the hidden feature it uses to bypass detection. So if M$ tool doesn't do the trick, be sure to:
1) turn off system restore (xp users)
2) Follow these directions: ( http://www.securiteam.com/securityreviews/5RP0L0UD5U.html )
Programs Needed:
* Reglite.exe
* Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)
* HiJackThis.exe
Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"
1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Windows\ \ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.
2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32
After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.
3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Windows\ \
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"
4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\ jheckb.dll /sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\ jheckb.dll /sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
res://C:\WINDOWS\System32\ jheckb.dll /sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\ jheckb.dll /sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\ jheckb.dll /sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
res://C:\WINDOWS\System32\ jheckb.dll /sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".
* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.
Finally delete the two .dlls ("hidden.dll" and "obvious.dll")
That's it! You should be running again
-------------------------- ---------- ---------- -------
Good Luck,
Jordan
I was able to follow the 2nd part of the instructions pasted below from a previous post, but not the 1st part involving Reglite.exe. (I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll".)
Please help me with this. I urgently need my machine and my browser is still hijacked. Thanks. - Julius
Here's the pasted previous post...
--------------------------
Accepted Answer from knoxj81
Date: 01/11/2005 10:13AM PST
Grade: B
Accepted Answer
FYI/: About:Blank can't be detected by hijack this due to the hidden feature it uses to bypass detection. So if M$ tool doesn't do the trick, be sure to:
1) turn off system restore (xp users)
2) Follow these directions: ( http://www.securiteam.com/securityreviews/5RP0L0UD5U.html )
Programs Needed:
* Reglite.exe
* Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)
* HiJackThis.exe
Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"
1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWAR
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.
2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32
After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.
3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWAR
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"
4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\In
res://C:\WINDOWS\System32\
R1 - HKCU\Software\Microsoft\In
res://C:\WINDOWS\System32\
R1 - HKCU\Software\Microsoft\In
res://C:\WINDOWS\System32\
R1 - HKLM\Software\Microsoft\In
res://C:\WINDOWS\System32\
R1 - HKLM\Software\Microsoft\In
res://C:\WINDOWS\System32\
R0 - HKLM\Software\Microsoft\In
res://C:\WINDOWS\System32\
R1 - HKCU\Software\Microsoft\In
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".
* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.
Finally delete the two .dlls ("hidden.dll" and "obvious.dll")
That's it! You should be running again
--------------------------
Good Luck,
Jordan
ASKER
Hi Zee. I tried this, but I still have the problem. Thanks anyway though. :)
Have you tried the lastest version aboutbuster 4?
http://www.besttechie.net/forums/index.php?showtopic=1488
With Tutorial
Tolomir
http://www.besttechie.net/forums/index.php?showtopic=1488
With Tutorial
Tolomir
And this is for coolwebserach:
http://www.intermute.com/products/cwshredder.html
CWShredder™ finds and destroys traces of CoolWebSearch. CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Tolomir
http://www.intermute.com/products/cwshredder.html
CWShredder™ finds and destroys traces of CoolWebSearch. CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Tolomir
>>I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll"<<
Download RegistrarLite and use it for that:
http://www.resplendence.com/download/reglite.exe
Website for that tool:
http://www.resplendence.com/reglite
Zee
ASKER
Hi Tolomir. Yes I did try aboutBuster4 and the latest version of CWShredder. aboutBuster4 was unable to correct the problem. CWShredder identified the threat as CWS.HomeSearch, but was unable to get rid of it. By the way. Forgive me for posting two questions on the same issue. (https://www.experts-exchange.com/questions/21408572/Security-Cool-Web-Search-and-about-blank-problem.html) I thought that I may have been too confusing the first time. I'll be glad to delete one of these if you like. Thanks!
Hi blue_zee. I'll try to be clearer this time. When I used reglite.exe and drilled down to the directory in the post above, I did not see "AppInit_DLLs" which was referred to in the post: "Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Windows\ \ The "value" window reveals the hidden file name." Thanks!
Hi blue_zee. I'll try to be clearer this time. When I used reglite.exe and drilled down to the directory in the post above, I did not see "AppInit_DLLs" which was referred to in the post: "Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWAR
Here is another website with removal instructions:
http://www.pchell.com/support/aboutblank.shtml
But I believe you're doing something wrong along the way not to sse those registry entries.
Maybe worth a careful retry.
Zee
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi blue_zee. AdwareAway was unable to correct it. I tried Reglite again but still could not find "AppInit_DLLs" in the "HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Windows" directory. Since I can't find this entry, i can't follow the procedure on the PCHell site page you recommended. Here are the entries I do see at that location:
1. (default)
2. DeviceNotSelectedTimeout
3. GDIProcessHandleQuota
4. Spooler
5. swapdisk
6. TransmissionRetryTimeout
7. USERProcessHandleQuota
I did a search for "AppInit_DLLs" in RegLite and found it in: HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\IniFileM apping\win .ini\Windo ws. Something tells me this is altogether different though. Am I missing something? What next?
1. (default)
2. DeviceNotSelectedTimeout
3. GDIProcessHandleQuota
4. Spooler
5. swapdisk
6. TransmissionRetryTimeout
7. USERProcessHandleQuota
I did a search for "AppInit_DLLs" in RegLite and found it in: HKEY_LOCAL_MACHINE\SOFTWAR
Well, you may be facing a reinstall of Windows.
Let's wait and see if someone else has new ideas.
At the moment, I haven't.
Back as soon as I do some more work on this.
Zee
ASKER
Cool... By the way...
Here's the latest:
I've tried CWShredder and it identified the problem as: CWS.HomeSearch but was unable to fix it.
SpyBot S&D removed some lesser thrats, but not the primary one. --> ("about:blank" in the IE address bar and a Quick Web Search form with a fake IE logo)
AdAware SE Personal also removed some lesser threats, but not the primary one.
I downloaded the latest version of HiJackThis, ran a scan, removed all the "nasty" threats, but the primary issue returned.
Here's the URL to my latest HijackThis analysis file:
http://www.hijackthis.de/logfiles/7bb3a8bae29602e19f5f638830ef93a5.html
Thanks so much for your help thus far. :)
Here's the latest:
I've tried CWShredder and it identified the problem as: CWS.HomeSearch but was unable to fix it.
SpyBot S&D removed some lesser thrats, but not the primary one. --> ("about:blank" in the IE address bar and a Quick Web Search form with a fake IE logo)
AdAware SE Personal also removed some lesser threats, but not the primary one.
I downloaded the latest version of HiJackThis, ran a scan, removed all the "nasty" threats, but the primary issue returned.
Here's the URL to my latest HijackThis analysis file:
http://www.hijackthis.de/logfiles/7bb3a8bae29602e19f5f638830ef93a5.html
Thanks so much for your help thus far. :)
Download KillBox:
http://www.scancomplete.com/download/killbox.php
Unzip it.
Restart in Safe Mode, turn off System Restore:
http://www.pchell.com/virus/systemrestore.shtml
and run HJT again.
Besides the recurring entries that should be fixed, fix these along:
O4 - HKLM\..\Run: [addzd32.exe] C:\WINDOWS\addzd32.exe
O4 - HKLM\..\RunOnce: [crhr.exe] C:\WINDOWS\crhr.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ieee.exe (file missing)
Immediately after fixing, launch KillBox, select "Delete on reboot", and in the "Full Path of File to Delete" place:
C:\WINDOWS\addzd32.exe (and click the red circle with the white X), and now place
C:\WINDOWS\crhr.exe (and click the red circle with the white X)
Close KillBox.
Empty your recycle bin, cleanup your temp folders and IE cache.
Restart your PC and test.
Post back the results.
Zee
Oops..
Correction, first cleanup then empty recycle bin.
Zee
;-)
Great!
Thanks.
Zee
jaerob,
Could you please do me (us?) a small favour?
Do a new scan with HJT and post a LINK to your saved analysis.
Just wondering how it will show up after that successful cleanup.
Thanks again!
Zee
Try AboutBuster:
http://www.downloads.subratam.org/AboutBuster.zip
Download, unzip, UPDATE and run at least twice.
Zee