Lawyerdude explains how to Cure the computer infection called "about: blank"

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

BS Mech Eng., University of Illinois, Urbana, home of the Hal9000; Registered Professional Engineer.

This page is located at: Douglas P\My Documents\Fixing the computer\about blank 6462 how to fix it \blank.wpd

“About:blank” (hereinafter “AB”) is the name given to this malicious, pernicious, trojan horse adware malware. The unique thing about AB is that it restarts itself - like a birthday candle that reignites. The name comes from your homepage; AB hijacks it to “about:page” which is what you will see in the URL box.

The key to the unique perniciousness of this malware is that it utilizes a random name generator to generate randomly named executable and date files such as rbtwe.exe and rbtwe.dat . Therefore a simply extermination algorithm won’t suffice. There is no name for which to search. AB installs hundreds of executables in your C:\Windows\ folder and in your C:\Windows\System32\ folders.

Your infection may be different, but here is what I discovered about my infection.

2. Their icon is a white box with a dark blue bar across the top. It looks like the “Broadway” deed in monopoly. This is the generic icon. Windows functions generally have a more unique icon.

3. If you right click and choose properties they say “unknown application” or they repeat something vague. By comparison, Windows functions and other legitimate files usually identify “Microsoft” or the manufacturer and explain the function.

5. They were “modified” since the onset of your infection. In my case my legitimate system 32 files were installed in the year 2001. My infection began in July 2004. You can sort your System32 files by “modified”.

6. If they are running, then their names will be listed in “task manager”. I discovered this when I tried to delete a malicious file, and the computer told me that the .exe could no be deleted because the program was running. If indeed it was an AB program then it would be running waiting to periodically adjust the Register keys in order to hijack my home page and search functions. There are 10 functions that it changes. Hit control-alt-delete to view the task manager. Click on “processes” tab and you will likely find that process running - the 5 letter name gives it away. It is periodically loading up a browser helper or another home page or search page. You can see their damage if you run “Hijack this” You will see some extra functions. They have identical serial numbers for around 6 of them. All the other items on the Hijack This display will be readily identifiable from some product name include in the name - such as Hewlett Packard.

AB rides into your computer when you click on malicious pornography sites. I don’t know if McAfee can stop it. Once inside your computer the AB malware sends out messages that instruct to distant computers to utilize the malware ports designed by Microsoft specifically to make your computer vulnerable to this type of attack. Bill Gates’s employees intentionally designed your computer to be vulnerable. Only now is he providing patches - but the patches are entwined with more garbage from the evil people at Microsoft. The alternative is a Linux box. They are available off the shelf now! The evil people behind AB could easily be caught; where are our hi tech police? Oh, they are looking for harmless traffickers of kiddie porn - which does not harm the kids or your computer or software. Some if the kiddie porn is in fact made BY the kids. The internet police should be whacking these disseminators of this harmful malware

HackerWatch http://www.hackerwatch.org/about/ is a pathetically weak community affiliated with a pathetically weak program sold by a greedy non-altruistic company called McAfee. HackerWatch just watches. It is like they see somebody breaking into your car and they take a picture of the thief to see if there is a pattern.

Here is the lame ambiguous language of HackerWatch: “We are a collection point for Internet users to report and share information to block and catch 'hackers' and other unwanted traffic. With the growing demand for 24/7 connection to the Internet, small businesses, telecommuters and home users are at a great risk of having their vital information exposed to hackers on the net. Protection from a software firewall application is essential... but should you stop there?”

“The individual user can do little to protect himself, let alone get action taken when they've experienced a malicious attack. HackerWatch allows for this assistance... Individual attacks are not necessarily always going to be addressed; however, if information submitted to HackerWatch begins to match other attacks submitted having the same ISP carrier - we've got a pattern! All of the data submitted to HackerWatch is screened for authenticity. It is then analyzed in conjunction with data from other individual users and organizations. When meaningful patterns emerge we can act on them quickly, notifying the administration of the appropriate network.”

August 27, 2004: This morning I cleaned out my c:\windows files and my c:\windows\system32 files. So far it looks like this procedure has worked. I deleted perhaps 200 files. I then shut down my machine to create a “restore” file devoid of these 200 malware files. Here is what I learned by experience.

1. Screen Print. It is free to humans. Not free to corporations. I don’t know who or what disabled my “print screen” key. I don’t know why but I know human nature. You need Print Screen function to keep a record when you have 99 viruses. AVG will pop up a box for each one. You may need to eradicate these 99 files by hand. Before Print Screen I would take copious handwritten notes. That takes too much time.

2. Hijack this. This is a widely used free program. It will help you learn about your computer. It searches for the places where the browser hijackers live. Then it will whack them for you. You can clear out the problems - but in 3 minutes the malicious browser helpers will be back. Therefore this program will help you to know when you have eradicated the trojan horses; when you have fixed the problem then you won’t need to run HickackThis every 5 minutes.

3. Trojan Remover. Obviously this pathetic and stupid program cannot conquer the AB malware. Its only utility in this regard is its ability to print out a 20 page log. You can look at the log and learn about your computer. You can see where Trojan Remover made its mistakes by leaving a certain key in place.

4. AVG is a free program. They cannot or will not do anything about AB infection. This is suspect. Grisoft was founded in 1991 in the Czech Republic. I am Slovak. These are my peoples! The program was written by software developer Jan Gritzbach. The founding of a high-tech company specializing in the development of anti-virus software was a natural progression for Mr Gritzbach, whose own interests in the field began in 1988, when he began developing programs specialized in protecting computers from mobile malicious code. Since its founding, the main focus of the company continues to be innovation in the detection of, and protection for computers from viruses! AVG AntiVirus has evolved substantially from the single-function utilities of those early days. In order to protect computers from viruses today, much more is involved than "merely" a software program. AVG is a comprehensive service which proves itself every day in the world-wide arena. This is more and more important as computers and computer technology become indispensable in our daily lives, and the danger of viruses spreading rapidly across the world's computer networks. Grisoft, Inc. (Delaware, United States) With the founding of Grisoft, Inc. in the United States in 1998, Grisoft took a significant step toward addressing the global market. Customer support and sales operations were established to support the growing world-wide base of customers and resellers. Grisoft has 43 employees, 26 of whom are specialists in the areas of software development, virus analysis and detection, and technical support. AVG AntiVirus is currently used by more than 8 million users around the world. Grisoft, Inc. (c) 2003

5. McAfee is an affordable program. This is what stopped the invasion. Had I been protected by McAfee or another program I would not have suffered the invasion. I had re-booted and forgotten which program was doing that job. McAffe has some nice graphics. I use it to log and block attempted invasions. Attacks come at the rate of 1 every 5 minutes. I am wondering if my computer has triggered the incoming invasion by its 2 weeks or more of infection. I think that the malware informs the MALNET that my computer is ripe for attack - but I am guessing. McAfee detected no viruses - but they did not say that there was no malware. Then I ran AVG and found 99! Obviously they cannot or will not detect malware.

1. Prologue. A month ago my computer would not boot up. I was forced to re-install Windows. That requires re-installation of some programs. Maybe I failed to promptly re-install a program whose name escapes me. It was SA or AS. Don’t know. I tentatively suspect that AB entered on a .wmv “entertainment” file - meaning pornography or other entertaining videos that are available on the net.

2. I felt it when this infection infected my machine. I lost control of the screen functions. I tried to shut down. I think that it was futile at that time. It came from a site listed on www.askjolene.com

3. AB hijacked my homepage and installed their own list of products. Google is my home page. I love Google. Google is good to me! I use it to find my own files. I have 880 web addresses. Google has them all indexed nicely. The infection changed my home page to a list of categories of products. Obviously the corporation who benefits from the links on this page is the one who pays for the dissemination of this AB malware. Follow the money trail. Why don’t the police do this?

4. Even when you do a Google search they quickly take away your Google page and install their own look-alike search page -which can fool you at times.

5. Previously they installed what appeared to be the real Google page, but the first 3 entries of every page were always the same 3 fake entries designed to lure you to a different search engine.

6. Web pages would “time-out” because my machine was loading their pop-ups or creating their pages to be popped up on my machine. Pages that I had easily loaded now simply could not be loaded.

7. The reason that the pages can’t load is that AB infection caused each page to pop up their own set of pop ups and other junk. The delays compounded and overloaded my system resources.

8. I received messages from mail bots saying that my message could not be mailed, but I did not mail any such message. The address was obviously computer generated. They send out a billion of these hoping that random generation will get new web addresses.

1. Having successfully cured “about:blank” previously I had a head start. I searched my files for my notes from last time. Those notes are appended to this file. I never did get to the end of the notes. This time I took more time and satisfied my own curiosity - and I learned. My friends just don’t have the time to do this. I am grateful that they can fix my computer so fast - and they usually do it for free, but they are very silent about what they are doing.

2. Gary installed McAfee for me. This program stopped the invasion of randomly-named 5 letter executables that had previously been loaded into my C:\Windows directory and my C:\Windows\System32 directory.

3. Gary had previously shown me how to “see” the invisible files. This is critical!!

a. Click on any “explorer” window - not to be confused with “internet explorer”. Click “tools” in the menu along the top of the page. Choose “folder options” - the 4^th of 4 choices in the drop down menu. Then click the tab labeled “view”. Then choose “show hidden filed and folders”. Then, a couple lines down de-select “Hide protected operating system files”. Malware likes to hide in Windows and System 32 because these files and folders are generally hidden. (Sorry. My language here was slopping. I was anthropomorphizing the virus. In actuality the designers of the AB programs have elected to put the .exe executable and data there because that is where that type of file works best and because it blends into the surrounding .exe files. The invisibility is a just another big plus!

4. Having learned to make the files visible, go to “My computer”. Then “Windows”

5. Now is the heart of the process. Find the malware and delete them. I deleted hundreds of files. At first I was cautious but soon I learned to work the identifying characteristics by using the “arrange icons by . . .” function.

6. First I popped up to the tools bar and clicked on the colorful “views” box. If you hover over it the word “views” appears. Select “details”

7. Your infection may be different, but here is what I discovered about my infection.

b. Their generic icon is a white box with a dark blue bar across the top. It looks like the “Broadway” deed in monopoly. This is the generic icon. Windows functions generally have a more unique icon - but not always.

c. If you right click and choose properties they say “unknown application” or they repeat something vague. By comparison, Windows functions and other legitimate files usually identify “Microsoft” or the manufacturer and explain the function

e. They were “modified” since the onset of your infection. In my case my legitimate system 32 files were installed in the year 2001. My infection began in July 2004. You can sort your System32 files by “modified”.

f. If they are running, then their names will be listed in “task manager”. I discovered this when I tried to delete a malicious file, and the computer told me that the .exe could no be deleted because the program was running. If indeed it was an AB program then it would be running waiting to periodically adjust the Register keys in order to hijack my home page and search functions. There are 10 functions that it changes. Hit control-alt-delete to view the task manager. Click on “processes” tab and you will likely find that process running - the 5 letter name gives it away. It is periodically loading up a browser helper or another home page or search page. You can see their damage if you run “Hijack this” You will see some extra functions. They have identical serial numbers for around 6 of them. All the other items on the Hijack This display will be readily identifiable from some product name include in the name - such as Hewlett Packard.

8. First I looked for the newest files. I did this by right clicking and choosing “arrange icons according to modified”.

a. I observed that around 20 new program had been installed in the previous 12 hours. Well I knew that I had not installed any new programs in that time frame, so whack. . . . I whacked em! To do this you use your mouse wheel to center the malicious bunch on the screen. Then hover over the top one. Then use the mouse wheel to roll on down to the bottom one. Then right click and delete. Bam! Gone. Well not so fast there cowboy. Microsoft asks you (pathetically) “Hey theses are system files. Your malicious viruses that we invited into your computer through our special door, well they won’t work if you whack this sucker.” - or something like that. You have to know that Microsoft is not afraid to speak up even when it has no clue. One again I anthropomorphize. Sorry. It is the fault of Microsoft programmers and their dumb down messages. One size fits all. They are too lazy to write out the true message so they pick one out of the box. This same thing happens in court. The clerk observes what happened. Rather than write it own, she has a choice of 40 actions to pick from. It is a crude language that has only 40 words. The clerk will not relay all the nuances by simply picking the 1 in 40 that fits best. Answer Microsoft by choosing “Hell yes, I know what I am doing”.

b. Actually from what I learned, you may simply be able to go back to the files “modified” after the date of your infection. Block them all (about 4 screens full, you will roll the wheel to scroll down or up) and delete - but I was a bit more cautious. Here are some other methods to quickly delete groups of malicious files.

9. Tip: If you have the files arranged by “modified” date and you see an .exe file with a 5 letter name and a matching data file with the same name then the odds are extreme that this is malware - but you can speed the process even faster.

10. Right click and arrange the files by size. You will see maybe a dozen that are all 26 k in size. Maybe even 200. If they all have 5 letter names and they all use the generic “Broadway monopoly card” icon then look at the “modified” dates column. If you installed xp in 2002 and these are all dated August 2004, the date of your infection or later, then whack em!

11. Your actual infection may vary. Maybe your infection file has a size 56k - but they will mostly be the same. Some of mine were not 26k. They are the same size because the various Hong Kong and London bastards who send this shit are merely sending the same program with different names. This is the essence of the AB efficiency. We cannot simply look for the name and whack it - cause they keep sending it with a new random name.

12. One lesson: If you select the 30 newest files, then you won’t be hitting critical files. The most critical thing you will hit is the log where Microsoft wants to update their files on you. They then encourage you to update. Then they tell you that you can’t update because you are running without a valid registration - and they offer to keep it secret if you will just snitch off the person who gave it to you. Bottom line: You can whack that log with pleasure. Caution: Gary says that you may be whacking some other program or even Microsoft. I say, so what? The alternatives are:

a. Waste days hours to search for all your important data and back it up. Reformat the hard drive and start fresh. Unacceptable. This is only good for Game Boy who has absolutely no data - maybe some records of his score. For the rest of us with actual data and lots of programs for which we may never have had an install disk, well this is not a viable alternative. I lost all my email twice. I lost 2 years of diaries. I know. I need a back up system.

b. Repair windows files and reload WordPerfect and Office Express and maybe lose your email. Not acceptable.

c. The right choice. Be cautious as you wanna be. You can always resort to B or A. You will lose caution after tedium sets it. Use the several indicators judiciously. These indicators are:

i. Arrange icons by size to whack the obvious after ascertaining that they all are in that same week after infection.

ii. Arrange icons by “modified” so see the pattern: A clump of generic Broadway monopoly card icons of the same size.

13. Important Lesson: Microsoft won’t let you delete anything critical - so don’t be overly cautious.

14. You can right click on these mysterious .exe and .dat files - or hover over them and a box will identify them. If they say “unknown application” then whack those suckers.

15. Okay. Next Lesson. You have your 30 newest files. You will see that are labeled otsuy.exe or some other 5 letter combination. Dead giveaway. Now right click and delete. The machine will pause for every .exe and say “This is a system file. If you whack this sucker then some program may not work.” What they should say is

“Well, this one has an .exe extension so we are warning you. Some program may not work if you whack this, but in actuality if it were a real program then the date would be the date you installed or modified it - months ago - and it would have its own icon - not this generic Broadway Monopoly icon. If you are whacking trojans, then that file may be the actual trojan loader - especially if it is zero or 26 k in size - so whack that sucker. If you are wrong, we won’t let you make the mistake of whacking a critical windows file - and a critical windows file would not have been loaded just yesterday if you installed XP in 2001. XP files list their “modified” date as the date on the disk from which they were installed.”

But windows messages are short, vague, and even defensive. They don’t tell any weaknesses.

16. If you try to delete a suspect and it says that the system denies you the permission to delete it because it is running, then simultaneously click control, alternate, and delete. This brings up “task manager”. Click on the “processes” tab and look for that malicious program running. There is some expertise and experience to know which of the programs are malicious. You can test any program by a search on Google. Dead giveaway: If the name has 5 letters in the name - or even 4 - and there are absolutely NO Google returns then that is a big fat clue that the process has been randomly named. In my case they were appnu.exe and imno.exe Appnu does not stand for application new. It is mere coincidence. I clicked on each of these and stopped them. Then I went back to C:\Windows and this time I was permitted to whack that sucker, the appnu.exe malicious file.

17. After you clean up the C:\Windows folder, you then clean up the C:\Windows\System32 folder in the same way.

18. McAfee did not recognize any of these 200 malware files. They don’t even recognize the viruses in the restore files. AVG barks at the restore files - and even the malware files in the recycle bin. I ran McAfee. I detected nothing. I ran AVG and it detected 99 but most were in system restore. So? That counts!

a. Click on my computer\ Local disk (C drive)\System volume information\Restore. That takes 4 clicks.

b. You will find a list of “rp” folders. RP means “restore points”. Liberally delete these RP files except for the most current. In doing so you are destroying backups from the days when your machine was infected. Or maybe you have a 5 day old restore point before the infection. I have used that to give me a fresh restore. That worked. However, I would rather have my up-to-date settings and do it right.

c. If you screw up you still have rp files in the recycled - or maybe not. Never looked.

d. Let’s call your restore file “rp18". There are maybe 4 critical items in an uninfected RP18 folder. Don’t mess with “snapshot” ; it contains your registry setting. We will get to that. In addition there will be shortcuts to various menus and documents. We may tinker with those some day but today we are hunting malicious executables - just like we did with the C:\Windows folder. An infected RP will contain the distinctive anonymous .exe files from recent days. Click on “properties” and you will see that they are labeled “unknown application” which is a lie. They are really secret malicious applications! Once you have removed all malware then your system restore will not infect your computer on start up.

20. Now you have the option of restarting your computer to “lock in” the good system restore. Don’t restart just yet.

a. Click as follows: Start. Run. Type “regedit” in the box. Click “okay”. That brings up “Regedit” which is the editor for the Registry settings.

b. At the top click on “edit” and then “find”. Now search for any of the named executable. “About” was what I searched for. I was amazed at what I found: 2600 domain names for malicious adware - like finding a bunch of snakes under a rock!

c. The search will take you to the list of adware and other malware. I deleted all 2600 of the folders. 2600! Then have names that expose them as evil.

22. Your problem should now be fixed. Now shut everything down and restart. Click start. Stop. Restart.

23. Now run “Hijack this” I have a shortcut to Hijack This in a folder called “virus whackers” on my desktop. Scan using Hijack should reveal that none of the browser hijack ware is running. If there is some running then use Hijack to whack it. Maybe it is a remnant. Have not got that result.

24. Of court when you go back to open your browser you will see “about:blank” Use the drop-down menu to change to “google” or whatever you choose. You fix that by clicking on tools. Then options. Then choose homepage, use current.

28. Empty the virus vaults unless you want to review them like a hunter would gaze over his prized Elk heads.

30. I enjoy watching the attacks come in. McAfee draws an arrow back to where they came from and gives you the telephone number of who sent this shit to you. Call the district attorney and ask him to get an extradition warrant. If they are in your county, then ask a sheriff deputy to get a warrant and take his computers. Better yet: Call someone who cares: Lawyerdude! 805 652 0334. I will sue those bastards for you! But not on a contingency basis.

End. You are finished with this project except to wait and see if more junk springs up tomorrow.

1. Comment: I know of no program that will whack the about:blank problem. Trojan Buster lets it slide right by.

2. Comment: McAfee draws a map of the world and draws a line to Hong Kong where these oriental yellow dogs are sending the stuff from. They contract with advertisers here to send us pop-ups and otherwise fuck up our computers. I am confident that Bush will bomb them if he is elected. It is time we took Taiwan and Hong Kong. We should not let those people immigrate here: Keep em as slaves there.

3. From the reports of the dumbshits who post on the internet, they think that there is some mysterious loader on your machine making the random -named files. okay the guy who said that also said to download registry Lite. He may have been a vendor.

4. My problem began with my “Geek superhero” stopped working. It no longer caught any incoming and it no longer blocked pop-ups. The 30 days expired with no problem but when 45 days came up it just stopped working.

1. You must be able to recognize malware and legitimate. The problem is that this malware creates files with random 5 letter names - so that the 5 letter name with size of 26K becomes the signature - that and the fact that it was modified yesterday or the day before or the month before.

2. Gary pointed me to McAfee which stopped incoming malware - one attempt every 20 minutes from people who can be identified and should be sued.

3. Gary explained to me that there are 2 boxes to check/ uncheck in order to see hidden files.

4. I learned to recognize this particular malware. File size. Name showing up in Hijack this. Date of the system files.

5. I learned that you can delete with impunity. Microsoft won’t let you delete a critical file. Gary says that I am wrong about this. He has experience and knows what he is doing.

6. When you attempt to delete a malicious file and you get the message saying “This file is in use” simply hit control alt delete and look for that file name as a running process. It is there loading up the 10 hijacking programs - or at least the first 2. Stop that process. The explorer window remains waiting open for you. This time when you try to whack that malfile it will get whacked.

8. You may want to run “Trojan Remover” and print the 20 page log. Trojan Remover cannot touch about:blank.

9. My about:blank thing came from a porn server site listed on “askjolene” I saw it when it happened. It took control of my machine. Had I been using mozilla this would not have happened. I had just recovered from a crash and my machine was out of tune. I think that active x may have been running. I don’t know. Suddenly I lost control of the screen and it was locked while the malware was loading.

10. I am running un-patched xp. Patched XP may or may not be vulnerable to trojan horse malware.

11. I may have deleted some critical files for auxiliary functions such as Hotmail, but I strongly doubt it! I can only get my hotmail through office express now. My hotmail page pops up blank.

There is much more below this line but it pertains to methods that did not work. Maybe they would have worked but they did not.

I clicked and unchecked the folder options advanced page in order to be able to see operating system files.

I went to Windows\system32 and deleted all the new stuff this year. The system won’t let me dismiss the system files. Therefore what is deleted is virus junk. Perhaps it is deleting other stuff that I need to run other programs but I don’t think so.

When I ran AVG I continued to have embedded problems in the restart backup files or whatever they are called.

This very file contains instructions to detect the downloader. I haven’t followed these instructions yet.

Instant message me: I am lawyerdude1989 on Yahoo instant messenger. I am dlawyedude on msn messenger.

My most useful web pages and my most popular web pages are these following pages:

Links for your Empowerment! Self help Litigation forms, instructions, cases, and samples.

17. List of the 30 most important criminal court motions. They are listed in Lawyerdude’s Bill of Rights for Criminal Defendants in jail. This is my New Standard by which to measure effectiveness of counsel. Make your appointed lawyer toe the line: http://www.circuitlawyer.8m.com/5635.html

20. Courtroom assertiveness 101: How to be assertive in court. Scripts for the Pro Se litigant:

22. Were you strip searched? Sue em! http://www.circuitlawyer.8m.com/5728.html Do they do a strip search anus check every time you go to the law library? Did your jail not have a law library?

40. Lawyerdude's library. A prioritized reading list. A list of books that farm folk and an enlightened populace should read. Some of these books justify weekly or monthly review - like your Bible - for your own defense. http://www.lawyerdude.netfirms.com/library.html

http://www.google.com/search?q=about:blank+hijack+variant&hl=en&lr=&ie=UTF-8&start=10&sa=N

This goes in folder #754 in the blue crated #27. On computer it is filed in "fixing the computer"

1. This article describes the registry. This article also includes information about how to edit the registry, and lists references for additional information.

A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices.

The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used.

The Registry replaces most of the text-based .ini files used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows operating systems, there are some differences among them.

To edit the registry, Microsoft recommends that you follow the steps in the Microsoft documentation only. If you can, use the Windows user interface instead of directly editing the registry.

You can edit the registry by using Registry Editor (Regedit.exe or Regedt32.exe). If you use Registry Editor incorrectly, you can cause serious problems that may require you to reinstall your operating system. Microsoft does not guarantee that problems that you cause by using Registry Editor incorrectly can be resolved. Use Registry Editor at your own risk. For additional information about the differences between Regedit.exe and Regedt32.exe, click the following article number to view the article in the Microsoft Knowledge Base:

Before you modify the registry, make sure to back up the registry, and make sure that you understand how to restore the registry if a problem occurs. For additional information about backing up and restoring the registry, click the following article numbers to view the articles in the Microsoft Knowledge Base:

322756 How to back up, edit, and restore the registry in Windows XP and Windows Server 2003

322754 How to backup, edit, and restore the registry in Windows 95, Windows 98, and Windows Me

To modify registry data, a program must use the registry functions that are defined in the following MSDN Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/registry_functions.asp

Administrators can modify the registry by using Registry Editor (Regedit.exe or Regedt32.exe), Group Policy, System Policy, Registry (.reg) files or by running scripts (such as VisualBasic script files).

Note The registry in 64-Bit versions of Windows XP and Windows Server 2003 is divided into 32-bit and 64-bit keys. Many of the 32-bit keys have the same names as their 64-bit counterparts, and vice versa. The default 64-bit version of Registry Editor that is included with 64-Bit versions of Windows XP and Windows Server 2003 displays the 32-bit keys under the following node:

For additional information about how to view the registry on 64-Bit versions of Windows, click the following article number to view the article in the Microsoft Knowledge Base:

The navigation area of Registry Editor displays folders. Each folder represents a predefined key on the local computer. When you access the registry of a remote computer, only two predefined keys appear: HKEY_USERS and HKEY_LOCAL_MACHINE. The following table lists the predefined keys that are used by the system. The maximum size of a key name is 255 characters.

HKEY_CURRENT_USER Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. This key is sometimes abbreviated as "HKCU."

HKEY_USERS Contains the root of all user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU."

HKEY_LOCAL_MACHINE Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as "HKLM."

HKEY_CLASSES_ROOT Is a subkey of HKEY_LOCAL_MACHINE \Software. The information stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as "HKCR." Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE \Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER \Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER \Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE \Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE \Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER \Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE \Software\Classes.

HKEY_CURRENT_CONFIG contains information about the hardware profile that is used by the local computer at system startup.

The following table lists the data types that are currently defined and that are used by Windows. The maximum size of a value name is as follows:

Long values (more than 2,048 bytes) must be stored as files with the file names stored in the registry. This helps the registry perform efficiently. The maximum size of a value is as follows:

Binary Value, REG_BINARY , Raw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.

DWORD Value, REG_DWORD , Data represented by a number that is 4 bytes long (a 32-bit integer). Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format. Related values are DWORD_LITTLE_ENDIAN (least significant byte is at the lowest address) and REG_DWORD_BIG_ENDIAN (least significant byte is at the highest address).

Expandable String Value, REG_EXPAND_SZ - A variable-length data string. This data type includes variables that are resolved when a program or service uses the data.

Multi-String Value, REG_MULTI_SZ, a multiple string. Values that contain lists or multiple values in a form that people can read are generally this type. Entries are separated by spaces, commas, or other marks.

Binary Value, REG_RESOURCE_LIST - , a series of nested arrays that is designed to store a resource list that is used by a hardware device driver or one of the physical devices it controls. This data is detected and written in the \ResourceMap tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.

Binary Value, REG_RESOURCE_REQUIREMENTS_LIST - a series of nested arrays that is designed to store a device driver's list of possible hardware resources the driver or one of the physical devices it controls can use. The system writes a subset of this list in the \ResourceMap tree. This data is detected by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.

Binary Value, REG_FULL_RESOURCE_DESCRIPTOR - a series of nested arrays that is designed to store a resource list that is used by a physical hardware device. This data is detected and written in the \HardwareDescription tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value.

None, REG_NONE Data with no particular type. This data is written to the registry by the system or applications and is displayed in Registry Editor in hexadecimal format as a Binary Value

QWORD Value, REG_QWORD , Data represented by a number that is a 64-bit integer. This data is displayed in Registry Editor as a Binary Value and was first introduced in Windows 2000.

A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. The supporting files for all hives except HKEY_CURRENT_USER are in the Systemroot\System32\Config folder on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; the supporting files for HKEY_CURRENT_USER are in the Systemroot\Profiles\Username folder. The file name extensions of the files in these folders, and, sometimes, a lack of an extension, indicate the type of data they contain.

HKEY_CURRENT_CONFIG,System, System.alt, System.log, System.sav, Ntuser.dat, Ntuser.dat.log

In Windows 98, the registry files are named User.dat and System.dat. In Windows Millennium Edition, the registry files are named Classes.dat, User.dat, and System.dat.

Note Security features in Windows NT, Windows 2000, Windows XP, and Windows Server 2003 allow an administrator to control access to registry keys.

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/w2rkbook/regentry.asp

When I ran PrcView, there was a file called kbd.dll that did not have a description listed after it. Also, could not access kbd.dll through Windows Explorer for manual deletion. Thus I assumed it did not belong.

-In PendingFileRenameOperation window selected Add File then chose Action-->Process and Reboot

If you need help, post your HJT and/or PV logs to the appropriate forums at places like

Maybe this will help. Here is how I found my hidden about:blank reloader. I am running Windows 98, so all my problems were in the C:\Windows\System folder. I believe the problems appear in the System32 folder on newer versions of Windows.

On a daily basis, my home page would change to about_:blank; additionally, when I typed an incorrect URL in IE, the search assistant was redirected from my MSN default to another search page (and I got a pop-up telling me there was spyware on my computer)

I ran CWShredder, Spybot, Ad-Aware, and HijackThis. My home page would be OK, but the search assistant redirect was still there. This would last all day. The next day, as soon as I launched IE, the problem was right back.

I found there was a random dll being generated each day. It was located in C:\Windows\System. The easiest way to find this dll was to open the System folder and using the "Views" option in the toolbar, click "Details." Then click "Modified" at the top of the listing so the most recent is at top. A randomly named dll was present each morning (e.g., ghifkoo.dll, booncaa.dll, cmmc.dll). CWShredder, Spybot, Ad-Aware, and/or HiJackThis would wipe out that day's dll, but a new one greeted me each morning.

Merijn's CoolWebSearch Chronicles, http://www.spywareinfo.com/~merijn/cwschronicles.html, provided much insight. I believe I had the combination of Variant 38 (CWS.Searchx) and Variant 39 (CWS.Realyellowpage). CWShredder does not fix it, and HiJackThis does not show it.

The key to eradicating this nightmare is to find the hidden reloader and wipe it out.

FIND THE HIDDEN RELOADER. Most of the information on the web relates to Windows XP, and points to the AppInit registry key for the solution. There is no AppInit registry key in Windows 98. To find the reloader, I used PrcView (a download is available here: http://www.spywareinfo.com/~merijn/files/pv.zip). I ran PrcView with an Explorer window open to find all operating dlls. I started by eliminating all dlls that were not in C:\Windows\System. I then began checking the listed dlls that had no version no. or description. I would search my C drive for each dll and also did a Google search for each dll. All the dlls (except one), were found during a search of my C drive (and clicking "Properties" would usually provide information regarding the creator and version) and using a Google search. However, there was one dll that returned no matches on the Google search, and was not located on the search of my C drive. THIS WAS THE DEVIL. In my case, the name was resbb.dll. Merijn suggests that the offending dll will have a base code of 61c00000 and a size of 61440, but that was not the case for me.

REMOVE THE HIDDEN RELOADER. I first used KillBox (a download and instructions are available at http://www.spywareinfo.com/~merijn/cwschronicles.html), but I do not think that worked. On reboot, the offending dll was still visible with PrcView. To finally wipe out this devil, I followed the instructions provided by Shadowwar here: http://www.wilderssecurity.com/show...00&postcount=25

On restart I got an Error message that resbb.dll could not be located. BEST ERROR MESSAGE I EVER GOT.

Therefore, to locate the hidden dll, I would first scrub the system with CWShredder, Ad-Aware, Spybot, and whatever other weapons you have. Then run PrcView to locate the hidden reloader. Once it is located, determine how to remove it. Good luck.

Symptoms: IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart

Manual removal difficulty: Involves some Registry editing and deleting a randomly named file

R1 - HKCU\Software\Microsoft\Internet Explorer\Main, SearchURL = http://about-blank.ws/page/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = http://about-blank.ws/page/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL = http://about-blank.ws/page/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page_bak = http://about-blank.ws/

This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.

Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.

Instant message me: I am lawyerdude1989 on Yahoo instant messenger. I am dlawyedude on msn messenger.

My most useful web pages and my most popular web pages are these following pages:

Links for your Empowerment! Self help Litigation forms, instructions, cases, and samples.

50. List of the 30 most important criminal court motions. They are listed in Lawyerdude’s Bill of Rights for Criminal Defendants in jail. This is my New Standard by which to measure effectiveness of counsel. Make your appointed lawyer toe the line: http://www.circuitlawyer.8m.com/5635.html

53. Courtroom assertiveness 101: How to be assertive in court. Scripts for the Pro Se litigant:

55. Were you strip searched? Sue em! http://www.circuitlawyer.8m.com/5728.html Do they do a strip search anus check every time you go to the law library? Did your jail not have a law library?

73. Lawyerdude's library. A prioritized reading list. A list of books that farm folk and an enlightened populace should read. Some of these books justify weekly or monthly review - like your Bible - for your own defense. http://www.lawyerdude.netfirms.com/library.html

Keywords: about:blank about blank reloader lawyerdude palaschak douglas files registry windows system file computer malware trojan horse program information data random randomly name named infection running size about key folder how malicious ware Microsoft delete editor hijack hijacked front page whack host hosts 213.159.118.226 binary google keys names problem restore right who avg pages xp virus date size exe .exe .dat data files installed McAfee AVG dll hidden invisible files links run web machine programs setting system volume information restore settings trojan user view “modified” “arrange” arrange modified critical deleted folders server computers prcview reloader screen stored value values viruses browser detected generic grisoft hackerwatch restart software system32 c:\windows c:\windows\system32 instructions loading messages operating reboot regedit registry keys dlls hkey internet lawyerdude’s Urbana Illinois illini marching link periodically regedit.exe suspect ad-aware adware search engine directory download executable homepage Hong Kong about-blank killbox vulnerability vulnerable appnu appnu.exe cure fix cured fixed restore “properties” properties “shapshot” shapshot register log Seneca Slovak spyware