2

Before you use this I suggest you check to see if your computer is having exactly the same problem and that someone who know this stuff more comprehensibly then I do has posted a reply. (Please do as I am uncertain that this works perfectly or isn't harmful to the computer) All programs and research sites will be listed at the end of this post.

The story:

I had the apparently common problem with a search page hijacking the start page and calling it's self about:blank. The program was incredibly annoying to remove and I'm not sure if it has been truly removed from my computer, But it no longer pesters me with an unwanted IE homepage. I spent several hours just trying to use HJT to remove the files. That was a complete waste of time, I used the program in my final solution but it doesn't seem to scan the right place (or something) and is unable to permanently remove the files. After spending some time trying to research what was happening I came across a couple cases where some ad/spyware would create a 'Application Extension' (.dll) file that with a random name. I used a list of 'Browser Helper Objects' to check all the "BHO" objects that were present in the HJT log. The one I couldn't find there or on the net using Google was the one I started to add in my futile attempts at removing files with HJT. This still didn't work. More research turned up a program called APM (Advanced Process Manipulation) which gives a user greater control of the processes your computer is running. The information that suggested using this to remove the 'Application Extension' (.dll) file that didn't show up on the lists I found. I was supposed to use this to tweak 'explorer.exe' the process the 'dll' should have been found in. That didn't work. This is where the problems may start to occur. Given this still more research turned up leaving IE running as I used 'APM,' something advised against in other areas but not specifically. Those sources simply suggested that all programs be closed. So now I launched into a hackish attempt to remove the files with little idea what could happen.
When using 'APM' I tried just removing the evil 'dll' file but it didn't stay removed so I tried this.

The Process:

=========================================================
* WARNING: READ THIS BEFORE YOU CONTINUE
*
*While doing this I managed to create an error in IE. I wasn't thinking of writing this at the time so I don't know what that error was as I click ok reflexively.
*
*That said IE seem to run just fine after several restarts and I didn't have any more errors occur during that time.
*
*If anyone attempts this keep in mine I have no background in this area and can't tell you if it will hurt or damage your system.
*
*I would also appreciate you posting the error this may create.
=========================================================

Step the first:

Open HJT, IE(put in some other site beyond about:blank), APM

2.

Using APM find iexplore.exe in the top window.
Find the '.dll' file that doesn't show up on the list at the bottom. It shows up as a BHO file in HJT.
Right click on that file. Select Unload DLL and click OK on all the prompts that follow.

3.

LEAVE IE OPEN for this step, one of the reasons I think this may not be a good method. It might work if IE is closed so try that way first, but I don't know.

Using HJT select:
-The unknown BHO file
-All the registry keys that have sp.html at the end. These usually show up as values with R(0,1).
Remove those files.

4.

Close everything, this is where IE will generate the error so be careful.
Run Adaware and remove all those files that are left.
Check to see if C:\Documents and Settings\Local Settings\Temp\sp.html has been removed. This is the file whatever program does this uses to replace your homepage.


Your IE homepage should now be unhijacked and resetable to your normal page.


The Threads:

These are the threads I read while trying to fix this problem.

A thread dealing with how you can get infected with these things.
Not one from this site but recomended by some of the helpful people here and where I started. It also has the link to the common '.dll' files an their references as HJT sees them
http://www.computercops.biz/postlite7736-.html

That previously mentioned list of the BHO 'dll' files that are know and what they are. (Listed BHO's and Toolbar Class IDs are tagged
X for certified spyware/foistware, or other malware,
L for legitimate items,
O for 'open to debate' and ? for items of unknown status. )
http://www.computercops.biz/CLSID.html

The thread from this site that I read relating to the about:blank program.
http://www.daniweb.com/techtalkforums/thread7491.html
http://www.daniweb.com/techtalkforums/thread7361.html
http://www.daniweb.com/techtalkforums/thread7310.html

Some other threads that deal with this problem.
http://www.daniweb.com/techtalkforums/thread7469.html
http://www.daniweb.com/techtalkforums/thread7192.html
http://www.daniweb.com/techtalkforums/thread7227.html

This thread seem to have another solution using APM but I didn't read it, you should look there.
http://www.daniweb.com/techtalkforums/thread7449.html

The Programs:

Hijack This (HJT)
http://www.tomcoyote.com/hjt/

Advance Process Manipulation (APM)
http://www.diamondcs.com.au/index.php?page=apm

Thanks to the people who pointed me in the right direction. crunchie being the most common.

Hope this works for you and if you find a better way let everyone else know.

Votes + Comments
If I could give you more I would :)
Way to help out the forum! --alc6379
4
Contributors
5
Replies
6
Views
13 Years
Discussion Span
Last Post by alc6379
0

Okay... I just tried this on my wife's machine... IT WORKED LIKE A CHARM!

There's only one thing I found, though: You need to also unload the DLL from explorer.exe, not just iexplore.exe. If you do that, then you can run HJT and eradicate the file.

Additionally, CWShredder has been updated to version 1.59.1, as of this posting. It will detect this hijack, as it uses sp.html. If you're a little weary of trying the instructions above, you might want to give CWShredder version 1.59.1 a shot.

0

You don't need to have 'background' or 'experience' to be a genius. You simply need to be persistent enough to continue until you find what works!

Well done!

0

Also for those who have the about:blank, please try this.

1. Tools | Internet Options - General tab - Home page section
2. Change Address to Ā«about:blankĀ»
3. Click Apply then OK
4. Restart IE
5. Reset your homepage & click apply, then ok.

There has been some success with this.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.