Overview
Summary:
Alias:
See Also:
Category:
Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.
Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.
Homepage Hijacker: Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.
Similar Pests:
Origins
Group:
By This Group:
Mailing Address:
Date of Origin:
Place of Origin:
Distribution
Prevalence:
Clot Factor:
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:
Operation
Platform:
Storage Required:
Browser Performance:
Recommendations
WorkAround:
Launch the registry editor: Start ->Run: regedit
Look for the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Double click on the key AppInit_DLLs
You will see a file name with this address: "C:\Windows\System32\"hidden filename".dll
Install the Windows Recovery Console Option if not already done (X = your CD Drive): 1. Pop in the Win2000/WinXP CD.
2. Run X:\i386\winnt32.exe /cmdcons
3. A dialog comes up saying it takes 10mb, etc., etc. - Click yes to install.
If you already see the boot menu you're done. If you don't then lets make it appear:
-Right Click My Computer -Click Properties
-Click advanced tab -Click startup and Recovery Settings
-Check Time to Display List of Operating Systems
-Set the timeout to something reasonable like 10 seconds
-Apply the settings, reboot, and you should see the new option to go into the recovery console. You'll need the Administrator password for your computer to access the console.
Then in to the Windows Recovery Console go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
C:\Winnt\System32: rename wdm.dll about_blank
C:\Winnt\System32: attrib -R about_blank
Reboot your system and open regedit again, go back to the same key AppInit_DLLs and delete the value.
Detection and Removal
Automatic Removal:
PestPatrol detects this.
PestPatrol removes this.
Manual Removal:
What to do about the 'about.blank' pest.
- The first option is to use a browser other than Microsoft Internet Explorer. The Mozilla, Mozilla Firefox, Opera, and Opera (Java) browsers are unaffected by this problem.
- The second option is to remove this pest by hand. We describe how to do this below.
Tools necessary:
- Registry editing tool. Reglite is a free program that is up to the task. You can download it at http://www.resplendence.com/registry/reglite.htm Download this program and install it.
- Windows Recovery Console
- Operating system CD
Steps to take:
The goal is to remove both dll files in the System32 folder. It is possible to work out a set of steps to delete the "unseen" dll first or the "seen" dll first, as long done properly. Lets delete the visible dll first.
- First
- Look in the C:\Windows\System32 folder and sort on date by clicking on the 'Modified' tab at the top of the dates column. Find the visible dll, it should be at the top of column when sorted. Jheckb.dll is an example name of a file found by a user, yours will probably have a different name. Rename this file. Open CMD-shell by clicking Start>Run>cmd (or command). Type 'CD\windows\system32' then hit return. Next type 'rename,' hit the spacebar, type the name of the dll file found in system32, type DeleteMeAfterReboot, then hit enter.
- Reboot your computer and delete this file.
- Second
- Open RegLite. Search the Registry for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\
Windows\\AppInit_DLLs - Click on AppInit_DLLs to show the 'value data.' You should see something like: C:Windows\System32\"unseen.dll" A user reported wdm.dll as a dll name, yours will probably be different.
- Open RegLite. Search the Registry for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\
- Third
- Install and configure the Windows Recovery Console Option:
- Insert your operating system CD.
- Run your CD:\i386\winnt32.exe /cmdcons
- A dialog box comes up, telling you it takes some memory to install. Click yes to install. The boot menu should appear automatically, if it doesn't do the following: Right Click My Computer. Click Properties. Click Advanced Tab. Click Startup and Recovery Settings. Check Time to Display List of Operating Systems. Readjust the timeout to 30 seconds.
- Apply the settings, reboot, and in the recovery console you will see the new option.
- Then in the Windows Recovery Console go to C:\Windows\System32, you will need full administrator rights, modify the file by using the Attrib command to erase it. Alternatively, you could rename the file.
C:\Winnt\System32: rename 'unseen.dll' (whatever the name is) to DeleteMeAfterReboot
C:\Winnt\System32: attrib -R DeleteMeAfterReboot - Install and configure the Windows Recovery Console Option:
- Fourth
- Reboot computer.
- Open RegLite. Search again for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\
Windows\\AppInit_DLLs - Open AppInit_DLLs. Delete the 'Value:'
- Open Internet Explorer. Click 'Tools' In the 'Address:' bar enter the homepage of your choosing.
Kill these running processes with Task Manager:
Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\network service, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\network service, delete it and reboot the machine immediately.
Unregister these DLLs with Regsvr32, then reboot:
Remove these registry items (if present) with RegEdit:
Remove these files (if present) with Windows Explorer:
After following the instructions above, you will still need to restore your original settings and prevent this from happening again.
Research
File Analyses:
- CWS.Aboutblank: agent-ac.dl · hjam.dll · phafxfa.exe