?
Solved

CoolWebSearch / about:blank

Posted on 2005-04-30
15
Medium Priority
?
385 Views
Last Modified: 2010-04-11
Hi there. I'm running Windows XP Pro and have the "CoolWebSearch / about:blank" problem.
I was able to follow the 2nd part of the instructions pasted below from a previous post, but not the 1st part involving Reglite.exe. (I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll".)
Please help me with this. I urgently need my machine and my browser is still hijacked. Thanks. - Julius
Here's the pasted previous post...

-------------------------------------------------------------------------------------------------------------------------------------

Accepted Answer from knoxj81
Date: 01/11/2005 10:13AM PST
Grade: B
 Accepted Answer  


FYI/: About:Blank can't be detected by hijack this due to the hidden feature it uses to bypass detection. So if M$ tool doesn't do the trick, be sure to:

1) turn off system restore (xp users)

2) Follow these directions: ( http://www.securiteam.com/securityreviews/5RP0L0UD5U.html )

Programs Needed:
 * Reglite.exe

 * Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)

 * HiJackThis.exe

Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"

1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.

2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32

After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.

3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"

4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".

* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.

Finally delete the two .dlls ("hidden.dll" and "obvious.dll")

That's it! You should be running again
-----------------------------------------------------

Good Luck,

Jordan

 
0
Comment
Question by:jaerob
  • 9
  • 4
  • 2
15 Comments
 
LVL 29

Expert Comment

by:blue_zee
ID: 13902347

Try AboutBuster:

http://www.downloads.subratam.org/AboutBuster.zip

Download, unzip, UPDATE and run at least twice.

Zee
0
 

Author Comment

by:jaerob
ID: 13903473
Hi Zee. I tried this, but I still have the problem. Thanks anyway though.   :)
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13903912
Have you tried the lastest version aboutbuster 4?

http://www.besttechie.net/forums/index.php?showtopic=1488

With Tutorial

Tolomir
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 27

Expert Comment

by:Tolomir
ID: 13903916
And this is for coolwebserach:

http://www.intermute.com/products/cwshredder.html

CWShredder™ finds and destroys traces of CoolWebSearch. CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.


Tolomir

0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13903921

>>I did not see "AppInit_DLLs" in the list and was therefore unable to delete the "hidden dll"<<

Download RegistrarLite and use it for that:

http://www.resplendence.com/download/reglite.exe

Website for that tool:

http://www.resplendence.com/reglite

Zee
0
 

Author Comment

by:jaerob
ID: 13904343
Hi Tolomir. Yes I did try aboutBuster4 and the latest version of CWShredder. aboutBuster4 was unable to correct the problem. CWShredder identified the threat as CWS.HomeSearch, but was unable to get rid of it. By the way. Forgive me for posting two questions on the same issue. (http://www.experts-exchange.com/Security/Q_21408572.html) I thought that I may have been too confusing the first time. I'll be glad to delete one of these if you like. Thanks!

Hi blue_zee. I'll try to be clearer this time. When I used reglite.exe and drilled down to the directory in the post above, I did not see "AppInit_DLLs" which was referred to in the post: "Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name." Thanks!
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13904870

Here is another website with removal instructions:

http://www.pchell.com/support/aboutblank.shtml

But I believe you're doing something wrong along the way not to sse those registry entries.

Maybe worth a careful retry.

Zee
0
 
LVL 29

Accepted Solution

by:
blue_zee earned 2000 total points
ID: 13904879

And this programs claims to clean it:

http://www.adwareaway.com/

Zee
0
 

Author Comment

by:jaerob
ID: 13905060
Hi blue_zee. AdwareAway was unable to correct it. I tried Reglite again but still could not find "AppInit_DLLs" in the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" directory. Since I can't find this entry, i can't follow the procedure on the PCHell site page you recommended. Here are the entries I do see at that location:
1. (default)
2. DeviceNotSelectedTimeout
3. GDIProcessHandleQuota
4. Spooler
5. swapdisk
6. TransmissionRetryTimeout
7. USERProcessHandleQuota

I did a search for "AppInit_DLLs" in RegLite and found it in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows. Something tells me this is altogether different though. Am I missing something? What next?
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13905116

Well, you may be facing a reinstall of Windows.

Let's wait and see if someone else has new ideas.

At the moment, I haven't.

Back as soon as I do some more work on this.

Zee
0
 

Author Comment

by:jaerob
ID: 13905743
Cool... By the way...

Here's the latest:
I've tried CWShredder and it identified the problem as: CWS.HomeSearch but was unable to fix it.
SpyBot S&D removed some lesser thrats, but not the primary one. --> ("about:blank" in the IE address bar and a Quick Web Search form with a fake IE logo)

AdAware SE Personal also removed some lesser threats, but not the primary one.

I downloaded the latest version of HiJackThis, ran a scan, removed all the "nasty" threats, but the primary issue returned.

Here's the URL to my latest HijackThis analysis file:
http://www.hijackthis.de/logfiles/7bb3a8bae29602e19f5f638830ef93a5.html

Thanks so much for your help thus far.   :)
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13905880

Download KillBox:

http://www.scancomplete.com/download/killbox.php

Unzip it.

Restart in Safe Mode, turn off System Restore:

http://www.pchell.com/virus/systemrestore.shtml

and run HJT again.

Besides the recurring entries that should be fixed, fix these along:

O4 - HKLM\..\Run: [addzd32.exe] C:\WINDOWS\addzd32.exe
O4 - HKLM\..\RunOnce: [crhr.exe] C:\WINDOWS\crhr.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ieee.exe (file missing)

Immediately after fixing, launch KillBox, select "Delete on reboot", and in the "Full Path of File to Delete" place:

C:\WINDOWS\addzd32.exe (and click the red circle with the white X), and now place
C:\WINDOWS\crhr.exe (and click the red circle with the white X)

Close KillBox.

Empty your recycle bin, cleanup your temp folders and IE cache.

Restart your PC and test.

Post back the results.

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13905884

Oops..

Correction, first cleanup then empty recycle bin.

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13908761

;-)

Great!

Thanks.

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13908821

jaerob,

Could you please do me (us?) a small favour?

Do a new scan with HJT and post a LINK to your saved analysis.

Just wondering how it will show up after that successful cleanup.

Thanks again!

Zee
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question