CoolWWWSearch/about:blank problem

Jenova,

Our normal procedures require that you first follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

IMPORTANT: If you already have any of the programs linked in the tutorial please double check your version against our links to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

While this will not necessarily resolve true about:blank hijacks it does in most cases fix other existing problems and gets your system in better shape anyway. Please do this and if still having problems afterwards, we will proceed to the next step.

 

Please start your own thread for your problem. Thread hijack is viewed the same as the hijackers you are having problems with.

 

You're welcome! So I assume all is good now? I checking because some of the CWS problems have a nasty habit of coming back after a reboot or opening and closing IE a few imes.

 

Have you run everything in the Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > ?

With the versions we have in our links?
For one example: did you use Ad-aware SE v1.03 with reference file SE1R6 30.08.2004?

If you have run everything, you should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File > Make sure you have HijackThis version 1.98.2.

Now close ALL running programs including your web browser, e-mail, items in the tray. Then run HijackThis and create a log. Post the HijackThis log as a .txt file attachment to your message. (NO INLINE LOGS ARE ALLOWED).

 

I don't know why you think Ad-aware does not work anymode. Perhaps you did not click on the link and download the proper version. It is now Ad-aware SE Version 1.04 with a reference file of SE1R1 06.09.2004. Get it installed on your system now. You need it later below.

What is Ares? If it is what I think it may be (a password cracker), uninstall it or add this next line to the list of things to fix below with HijackThis.
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

Note: I do not believe this is going to fix you About:Blank problems the first time through but we have to clean up a bunch of things first in order to continue. So we will hope we get lucky on the first try.
Bring up Task Manager by hitting CTRL-ALT-DEL and click processes. Fing the following processes (if found) and end them:
gpkcsp.exe
gdnUS19.exe
rdgUS19.exe
on-line.exe


Make sure you have viewing of hidden files and folders enabled: http://forums.majorgeeks.com/showthread.php?t=37650
Make sure you know how to boot in safe mode (don't do it yet, wait till I tell you):
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Make sure you still have the latest About:Buster and it is updated!

You may want to print all of this since when I have you exit all browser sessions below, I do not want you to reconnect again until I tell you to do so.

Now run HijackThis and put check marks on the following lines BUT DO NOT CLICK FIX until you exit ALL browsers sessions including the one you are reading this message in.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DA251D21-544B-441E-B57E-833C1A1367A4} - C:\WINDOWS\System32\pfjka.dll
O4 - HKCU\..\Run: [gpkcsp] C:\WINDOWS\System32\gpkcsp.exe
O16 - DPF: {01C5AD87-F310-6B5D-A261-397C3BC8A117} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0D360DDE-2BEF-360A-48CB-5C5E354BA21D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/11225/online.chm::/on-line.exe
O16 - DPF: {12301766-A173-2DB7-D546-07160D53AA61} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {138C9ADC-0B85-27CB-74B4-25A66BD4F4C7} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=b5929194d82eca881922fec3a35f349d4e54c4b4523135701160b858fc99be4199747c8588c120ba5f99303a1ea5c3337ebcf795017e4cf6bcf00bfddec8fca7:fe26c761c0e1c4990001df763307b1d2
O16 - DPF: {15F3B76D-AF76-5AD4-5463-3E077DA311F8} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {1664C5E4-D4B8-336E-8C65-1751637A41D6} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {18726E90-AC6F-2ECE-F042-0A750ACDBD43} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1FAEE90A-36FF-41C0-F23D-0C8729F62FFA} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {1FB4AED7-BDB4-02BC-01C7-506F0E0BD282} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {207B50A4-4B8F-2DFD-2A32-12DF0FD2330B} - http://66.117.42.151/1/rdgUS243.exe
O16 - DPF: {20DF8F5A-BA42-3083-9AEB-23BD3C117D31} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {23A0F55B-13A4-0EFA-1506-27BC69A662D0} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {24605C93-230E-3AC4-7D3D-6F170E3C7A2E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {35CD9EF8-9FBC-7031-93D2-0624216608B9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {3D479A74-A0EE-09AC-BEEE-0F2922709A61} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3FEC19BE-D1E9-0CB4-4007-6F567CEF8F2E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {45596C59-BD45-0F81-398B-57772D745245} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4B173102-9B10-2AD0-C54F-144539EB716B} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4EBA5314-21CA-367C-52FE-513763B21E60} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4EE4B3AE-1E54-702E-01AF-2730228A6AD1} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {506A5487-7D3F-5416-324A-3A4120B0BAD9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {554BA5D5-8368-3B24-1E02-584219537F01} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {56D25AD9-4DC9-1C93-0A17-2C273BBEE979} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {58E3DF9E-A1B6-1835-A18D-012E6B94C372} - http://67.19.99.158/1/rdgUS871.exe
O16 - DPF: {5A3920C7-5DD4-00CA-888A-7F9277BE53CB} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5B4324BA-447C-06E4-6549-76F14807FDF1} - http://66.117.42.151/1/gdnUS20.exe
O16 - DPF: {5BAC7318-92A5-2500-1C5F-522133E3DAA3} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5DA28BB2-DBC2-3013-69B9-2D6D57C36236} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5EC6D3FD-3B81-7F95-E32B-365F002E0AE0} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5F18E0BB-CC8D-5D52-27E6-76A77FC1B100} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6546CB25-A382-7950-75D3-55B40F7E2155} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {654B2765-1355-4511-D1E1-60D72F00772D} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {66E8D77E-0CFA-42B6-38BF-1D6E25EB92C5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {69C5E640-BF7F-56C5-1D12-462A6A8F972D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6D5196BD-5A83-0C68-A850-1C3467BB664C} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6F85F138-3828-7067-F864-6DAA2987730A} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7299BA5F-7868-27CB-472C-27D139A6C678} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {74DC8240-7AEC-1B92-E70C-55201D3CAC4B} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {759DE0A4-BCCD-2A97-D5CD-234301ECE32B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {76BD8615-A0E7-335D-1563-6084760D8D95} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7961A3F7-E547-7A54-E59B-7D17572D5B48} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {797D2477-E284-5239-7031-02130B93B3DF} - http://66.117.42.151/1/gdnUS20.exe
O16 - DPF: {7B9FD3AC-1DF7-7B04-6366-3DC469040230} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7C6232F2-C4A2-69B9-32A8-5FBA343BA2DB} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7DF8A66B-BCBB-33DC-9116-5D16116BAEE4} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7F8133E4-D75B-7509-0492-5A8D2E0272C9} - http://66.117.42.151/1/rdgUS19.exe
O18 - Filter: text/html - {A2B6AA37-84A7-42D6-B8D3-D215A4DA8A9F} - C:\WINDOWS\System32\pfjka.dll
O18 - Filter: text/plain - {A2B6AA37-84A7-42D6-B8D3-D215A4DA8A9F} - C:\WINDOWS\System32\pfjka.dll

Don't forget do not open any browsers yet! Run About:Buster and save the log to ablog1.txt.
Reboot in safe mode and delete the following files (if found):
C:\DOCUME~1\Joseph\LOCALS~1\Temp <---- Remove all files in this folder unless you are 100% sure you need it?
C:\WINDOWS\System32\gpkcsp.exe
C:\WINDOWS\System32\pfjka.dll

Reset your web settings by doing the following:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Run About:Buster again and save the log to ablog2.txt.

Now run Ad-aware SE and under the scan option select Full System Scan and run it.

Now reboot in normal mode and connect back here and post your two About:Buster logs.
Then exit Internet Explorer and run it again. Try that a few times to see if about:blank returns. If it does return, post a new HijackThis log attachment and DO NOT shutdown or reboot your PC. You can disconnect from the Internet to remain safe but do not reboot.

 

Did all the steps go smoothly? Were you able to do all the steps correctly and find and delete all items with no problems?

How is everything now? Have you reboot a couple times and checked?

 

Okay! I need to see another HijackThis log attachment to see what (if anything) has been resolver and what may have changed.

 

Tell me the results of each step below. You should print these instructions of save them locally because later I need you to not have any browsers running.

1) Okay first make sure System Restore is disabled but do not reboot when asked to: http://forums.majorgeeks.com/showthread.php?t=31668
2) Please terminate Ares before continuing!
3) Run HijackThis and put checks on the following lines BUT DO NOT CLICK FIX until you exit ALL browsers sessions including the one you are reading this message in. Then after click fix IMMEDIATELY reboot (do not open IE again until told to):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Joseph\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9440BF49-0D43-4DAB-9927-4302FE851BA3} - C:\WINDOWS\System32\lfel.dll
O18 - Filter: text/html - {41228B03-272A-4B9A-A59D-CAF0CD42B745} - C:\WINDOWS\System32\lfel.dll
O18 - Filter: text/plain - {41228B03-272A-4B9A-A59D-CAF0CD42B745} - C:\WINDOWS\System32\lfel.dll

4) Reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

5) Delete the following files (if found):
C:\Documents and Settings\Joseph\Local Settings\Temp <---- Remove all files in this folder unless you are 100% sure you need it?
C:\WINDOWS\System32\lfel.dll

6) Reset your web settings by doing the following:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (PLEASE USE THIS FOR NOW EVEN IF YOU WANT SOMETHING ELSE). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

7) While in safe mode run HijackThis and save a new log (use a different name than last time or you will not be able to upload it. Try hjt1.txt). If any of the previously removed items are back, tell me, and fix them again.

8) Reboot in normal mode and before doing anything else (especially opening a browser) run HijackThis and save a second log (hjt2.txt)
9) Now try opening and closing a few browser sessions and see how things look. Post both HijackThis logs back here as attachments and if the problem has now come back again please post a third HijackThis log (hjt3.txt).

If this does not work, we are going to have to hunt for a hidden process in your registy that is causing this to respawn.

 

Stop the process that is running the loads at startup (Ares.exe). You should be able to end it using Task Manager.

 

Good job! Let me know if this comes back! If everything still looks good after a few reboots and some surfing. You should enable system restore.

 

We do not have too much experience with that program yet. If you would like to give it a try, please do. And please report the results.

There are other steps we could try but you can try BHR first.

 

1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field


Then I want you to download FINDnFIX from here: http://downloads.subratam.org/FINDnFIX.exe

Run FINDnFIX.exe, it will extract some files to a folder called c:\findnfix
Use Windows Explorer to bring that directory up. Now if necessary print the remaining instructions because you will be disconnecting from the Internet in the next step. I want you to physically unplug your analog modem phone line or ADSL/Cable modem ethernet cable to your PC so that there is no way any running program get get access to the Internet from your PC.

Disconnect your network connection now!

In the c:\findnfix directory double click on the file !log!.bat
This will run the program and it will create a log.txt file (it will also pop up in notepad when done). Be patient, it takes a little while for it to scan thru all the files it needs to look for.

When it is finished, reboot your PC and reconnect your network connection.
Now run create a new HijackThis log and come back here and post as Attachments yourHijackThis log and the log.txt file from FINDnFIX

 

Hmmm! Not very useful I would take it.

 

Make sure you have enabled viewing of hidden files and that you have downloaded About:Buster (do not run yet).
Also make sure systemt restore is disabled.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
winlgn.exe

- Print the below instructions or save them locally before continuing because in the next step you must close your browser and do not open it again until I tell you too.

- Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O4 - Global Startup: winlgn.exe

I want you to Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
- Rename the Folder Windows to NotWindows highlighted as a light blue (some people call it light purple) folder in the left hand pane of reglite.

- Double Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\hlpifbd.dll < delete this line , 'Apply' and 'ok' to set.

- Rename the NotWindows folder back to its original name Windows
- This should make the file visible.
- Double check that it is gone by going back the Windows key again and check the AppInit_DLLs field and make sure the data value is still blank.
- Restart computer in safe mode (WITH NO NETWORKING SUPPORT)
- Look for C:\WINDOWS\System32\hlpifbd.dll using Windows Explorer and when you find it right click on it and choose Delete. Make sure you locate and delete this file. If you do not, do this. Problems will return.
- Also locate and delete:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
If you have trouble deleting this file, check with Task Manager again to make sure it is not running.

- Now from safe mode run Ad-aware SE and click Scan Now, the choose the Scan volume for ADS. The click the underlined word 'Select'. Choose you harddisk drive (C) and then click Proceed. The click Next. If it finds anything tell me what it finds. And have it fix everything.
- Run about:Buster and save the log to ABlog1.txt

- Run HijackThis and check to make sure all of the lines fixed above are still fixed. If not, fix them again. Especially look for the O4 line with winlgn.exe

- Now reboot in normal mode
- Get a new HJT log
- Open your browser and come back here and tell me how things are working and post your HJT log attachment.

 

So I take it all steps went smoothly with no problems?

How about posting the HJT log I asked for now so we can make sure nothing else is in there?