Can anyone help me fix an about:blank infection in Windows 98? I've had some limited success with a combination of HijackThis and Killbox and now it's at least dormant, but it comes back whenever I use Internet Explorer or related programmes such as MSN Messenger. Before posting I've read a lot of previous threads here about this problem, but the fixes suggested either don't seem relevant to my case or are for Windows 2000, and I can't quite translate them into Win98 terms. Using regedit I've found there's a folder added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall called 'SearchAssistant Uninstall' that has an uninstall string value that always features the latest version of the 'random' dll - e.g. at the moment it's regsvr32 /s /u C:\WINDOWS\SYSTEM\KLCIABA.DLL Would it help to delete this? And if so do I simply right-click and delete the whole folder? Also, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows there's a folder just above the 'Current Version' folder called 'Curent Version', spelled wrongly like that, which appears to be empty. Could that have anything to do with it? I would be very grateful for any help anyone can offer. If this should be posted in the specifically Windows98 forum instead of here please let me know. Regards, Leesh

I'm not going to play the expert on this one but just to mention that the Uninstall folder is quite normal. I wouldn't therefore go and delete it. The strange entry itself (in the right pane) is quite a different matter. Hold on for advice though because it is not always best to delete things where nasties are concerned. If you are tempted then backup your registry first. Derek.W

Sounds like you have the 180Search Assitant. You can read good tips on uninstalling it here, http://www.sawtoothdistortion.com/Articles/Uninstall180Search.html Also, I hate MS for alot of things, but I have found a tool very usfull, personally and on the phone as Tech Support, MS AntiSpyware Application. A link to it is on microsoft.com homepage. There is a option to 'Recover a Hijacked Browser' I think you may find this useful as I have in the past. Good Luck. Mike

Microsoft Windows AntiSpyware (Beta): System requirements Microsoft Windows 2000, Windows XP, or Windows Server™ 2003 Windows 98 was specified as the OS in question (several times) Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

check msconfig for any unknown startup file and disable, may delete wrong curent version folder, suggest bacing up registry first, just in case, and delete *ooo.cab later, cause of errors... try going into safe mode (f8), use toolbarcop to remove BHO plugins if any,.. http://www.majorgeeks.com/download4126.html , try solo antivirus demo, http://www.srnmicro.com/ , try adawareSE scan, using regedit , search and delete files and folders there in, empty temp folders, restart normal mode , reset desktop , run scanreg for errors, run sfc.exe for changes and update, run regclean if possible to fix errors http://www.createwindow.com/wininfo/regclean.htm ,

Thanks to all. I'll try Bofra's suggestions, although I've already tried msconfig and seen nothing that looks suspicious, and HJT removes the BHO but it comes back as soon as IE is started. I'll post back and let you know.

Well, it worked for a while. Think it was cleaning the Windows/Temp folder that did it. I did that before, right at the start of the hijack, but it turns out some suspicious stuff re-appeared there in the meantime. Appeared to be clean after I ditched it. What's more it stayed clean after I opened Internet Explorer, which is a small victory as that normally starts it off again. However, I then started MSN Messenger, which caused the SE.dll to reappear in the Temp folder before my eyes. Deleted Messenger, cleaned up again, everything seemed OK. At exactly 00.00 on my computer clock, though, two more of the suspicious files (huge TMP files called Und and then a four-digit number) appeared in Windows/Temp. I'd been watching for this as something similar had happened at midnight one time before. I deleted them and ran HJT; didn't seem to be re-infected, no SE.dll or BHO or about:blank entries. The exact same thing happened on the hour at 1 am and again I deleted them. I watched for it at 2 but it didn't happen. But I wasn't connected to the net then, and I think I was at 12 and 1, so maybe that has something to do with it, or maybe it just likes messing with your head. I'm going to try uninstalling or deleting Microsoft Works Calendar, on the grounds that it has a timing component, unless I can find a reason why not. Can anyone suggest anything else with a timer where the thing may be lurking? Or am I barking up the wrong tree? By the way I chickened out of deleting the registry folder for now. Thanks for your help so far, and in advance for any more ideas, Leesha PS. I naturally intend to ditch IE after this - is it safe to download Mozilla while the a:b may still be lurking somewhere or would that get infected too?