After effects of about:blank is driving me crazy

Discussion in 'malware problems & news' started by No Worries, Feb 12, 2005.

Thread Status:
Not open for further replies.
  1. No Worries

    No Worries Guest

    I've had one of the about:blank trojans and I seem to have removed it, but with one irritating exception which I hope some one can tell me how to resolve.

    A bit of background, Win98SE PC , I’ve used CWShredder, Hijackthis, regedit and sorted out my registry, removed the hidden and visible dll etc. Internet Explorer now works OK.

    However there’s an exception if I try to go to I end up at ~snip - removed link, against TOS - Blackspear ~ (do not go to this URL ) which is the about:blank site rather than MSN search.

    My hosts file is OK and if I use firefox and enter the same URL it correctly take me to MSN search, also ping show the correct IP address (I checked it against another PC). Therefore my thinking is that it has to be an IE specific or rougue registry entry? I've tried searching the registery but I'm going nowhere.

    Anyone any ideas?

    Thanks in Advance
    Last edited by a moderator: Feb 12, 2005
  2. Bubba

    Bubba Updates Team

    Apr 15, 2002
    The topx URL that was removed in your post is almost a certain indication that you have not succesfully and\or properly removed the hidden dll file....nor the registry reference from SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

    Having said that....I suggest you either visit our General Cleaning Instructions link below....or....If those steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: and Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    This link---> GENERAL Virus and Trojan removal Instructions
  3. Mephisto

    Mephisto Guest

  4. GlobalForce

    GlobalForce Regular Poster

    Jun 30, 2004
    Garden State, USA
    Hellooooo ~ No Worries,

    You know, it's always interesting what one will find researching ... ;)

    What 'vanagon40' say's about most of the searches on the web to remove this unwanted evil...about:blank, do in fact surround WinXP. From what I gather, following articles from the various spyware websites....the methods for determining
    the hidden files boil down to two options on Win98 not including HJT (at least that's my take).

    Onward.......This first shed of light suggests you're thinking this to be IE specific may be correct, instructing to open
    IE - view 'source' - and aw heck, I'll just let 'Rick' take it from here (his first post about a fifth way's down here).
    Mind you, IMO this is just one possible step in moving forward to discover the hidden source code dll in IE.
    While his last few lines for renaming the file coincide with the widely described method of deletion in XP...
    (via the Recovery Console), I'm not sure I agree with his final two lines/statements.

    If no luck on a reboot, may I suggest deleting it from a real DOS prompt...NOT a shell.

    Moving right along.......This time returning to our friend 'vanagon40'....
    check out his about:blank removal procedure which will involve a tool called 'PrcView' (available on the page),
    and again....a 'real' DOS prompt. All this with a grain of salt please, as I have not the direct experience.

    Find the "MAN" at ShortMedia.

    Best on this No Worries,
    Last edited: Feb 12, 2005
  5. No Worries

    No Worries Guest

    Thanks for the URLs Bubba.
    Although I had removed both a visible and hidden dll, there was something else which I found using msinfo32 and also showed up in startdreck in the registry setting RunServicesOnce.

    I don't know if it really is a fortran prog but I found QTFOXT.FOR in C:\Windows

    I renamed it and re-started. Startup complained that it couldn't find dll as you'd expect.

    removed registry entry and renamed QTFOXT.FOR and all seems OK at the moment.

    By the way CWShredder, Spybot and Adaware did not find this program
Thread Status:
Not open for further replies.