I hate about:blank

[StriderKyo]

I've got this beeyotch too; I'm just gonna wipe everything. Is there something - anything - that can prevent me getting this junk in the first place?

[perkyskirt]

I think you get it through MS Java virtual machine or something...and you should switch to the one by Sun Microsystems, but I'm not sure. I heard MS made a patch for theirs, but who knows... What a fucking giant pain in the ass. I hope whoever made it dies.

[Wolffen]

What operating systems are you guys using? If it's 2000 or XP, look at your task manager and look at all the processes that are running. Then do a search on all of the processes. So, if you see 7acd4e.exe, do a search on it. Kill the process and delete the file. I just went through a 4 hour process with my Dad's PC a few weeks ago. I had him set up WinVNC on his PC to let me remote control his PC from 200 miles away, and proceeded to give it the once over. It took a combination of Spybot, Ad-aware, Mcafee, deleting files, and cleaning stuff out of the registry to finally kill everything. Clean out your Cwindows\temp directory, check your
hkey_local_machine\software\microsoft\windows\current version\run, runonce and runonceEx registry keys for suspicious software starting at boot. Look for things like silencer.exe and crap like that. When the crap keeps coming back, there is another process causing it to. Until you kill all of it, you be having all sorts of fun. If you aren't running a virus scanner yet, well, get one. It won't so much stop the problem as help you figure out where the bastard files are on your system. Also, if you haven't been running Windows Update, that may be where some of this crap came from. There are several ActiveX holes in IE 5, 5.5 and 6.0 that allow a website install to software without your knowledge (which is one reason to check the cwindows\temp folder. Be prepared to invest a hour or 2 at least to clean this shit up. The only other option is a format c: and reinstall the OS. Oh, and make sure you set Spybot to (a)immunize you against further "infection" from know spyware, and to run the "Permanently block bad installer" install from the same form. In advanced mode, you have to scroll down a bit to see the option. I didn't know it was there until a few weeks ago. Good luck! You're gonna need it...

[Melf]

I have the CWSearchX variation. This is what CWShredder site says:

Variant 38: CWS.Searchx - about_:blank seems popular lately

Approx date first sighted: April 6, 2004
Log reference: http://forums.techguy.org/t217853.html
Symptoms: IE pages changed to about_:blank (which is changed to a search portal linking to searchx.cc) and a search page inside a DLL on the system, hijack returning on system reboot
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C: /WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C: /WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// C: /WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0- 12C36350039D} - C: /WINDOWS\System32\gfmnaaa.dll

This variant is not very hard to spot, but slightly harder to troubleshoot since its symptoms look a lot like those of CWS.Xmlmimefilter. It drops a randomly named DLL in the system folder and sets the IE homepage/search pages to it. A BHO is also added pointing to the same DLL. The about_:blank page is modified by creating two new protocol filters for text/html and text/plain which allows the DLL to control most of the content flowing through the IE browser as web pages. The trojan keeps a record of all actions in a log file at c: /filter.log. Removing the two filters in the Registry, deleting the BHO, the DLL and the logfile and restoring the IE pages fixes this hijack.

Note: The CWS.Realyellowpage has been sighted together with this variant sometimes, causing CWShredder to not be able to remove this one. Refer to the manual removal method for that variant to delete the offending dll, then run CWShredder again to remove CWS.Searchx.

Spaces put after c: to avoid the :/ smiley.

Could someone explain this to me in plain English?

[Damian79]

I have the CWSearchX variation. This is what CWShredder site says:


Spaces put after c: to avoid the :/ smiley.

Could someone explain this to me in plain English?

The "R1"s are registries you have to remove(ie delete).
The "R0"s are registries you have to remove(using "modify") the value data.
click on start -> run -> enter "regedit.exe"

HKCU is Hkey_current user, the rest is easy to figure out.


The "O's" are Internet Explorer options you need to remove(ie unclick the "allow something" box). Then delete files the files following the option you have to remove.

The "BHO" thing however I have no idea what that is, email the guy.