You might take a peak at this: Variant 38: CWS.Searchx (about:blank) This has been a popular little headache for some time. Also refer to Variant 39 on that same page. On the subject of having patience and giving thanks.... Nonsense! I have given up my children, my home, my paying clients, and my business to help people for free on Computing.net! We all should! Wait a minute...I was confused. That is the exact opposite of what I meant. A little humor goes a long way. Ranchhand is right...It is nice when people say thank you. My clients usually say "thank you" by signing the service invoice and writing the check... But that's another story. :) Keep truckin' all. AOSCLAY CWS really sucks...sorry. Got Shredder?

0

Wow! what a storm of protest i have created! It is great to see you guys are all so passionate about what you do. Reading others posts there I can see that 'about:blank' is a very complex problem however. In fact I posted my HJT log on July 4th to the Wilders Security Forum; http://www.wilderssecurity.com/forumdisplay.php?f=26&page=18&sort=lastpost&order=&pp=25&daysprune=60 To date, there has been no response to that posting. gazzapee

0

i know it seems to easy but this worked for me. Hi All. After following the instructions from the info & links below i no longer have any of the symptoms associated with the about:blank problem. Did not have to d/l HijackThis, CWShredder or alter any registry keys whatsoever. I thoroughly recommend it. Dogger Here's the fix we used... http://s12ds2.ewizard.cc/uninstall.exe Virus check on the executable with Norton, none found. executed file and changed homepage to google. rebooted - launched MSIE and about:blank loaded as homepage again, but the page was blank; as in void of any alpha-numeric character or image. ran executable again. reset homepage to google again. rebooted again. Launched MSIE and google loaded correctly. Ran regedit search for home:blank with zero results. Thus far, appears to be corrected

0

Further to Dogger's comment, I stumbled on a reference to this uninstall file. Link was www.oz.msie.tv I believe. Site is a cool web search page, but square in the middle is an "uninstall software" button, which leads to an uninstall.exe download. File is all of 7K but seems to have removed the evil thing. Many other removal attempts resulted in the item reinstalling itself in a matter of minutes, but this seems to have stuck. The commenter who provided this solution said he had located the link by revealing the html code on one of the offending pop up pages. Interesting twist to a sick, but very hardy piece of code. And yes, I have read countless postings by some very ernest and dedicated posters. Hats off to all of you and to the person who pointed me to the uninstall.exe file.

0

Thanks Dogger and others. I downloaded the executable and copied it into both Windows\System32 and into the IE folder and ran it. So far IE is now returning to my chosen home page, although when I reboot Spywareguard keeps telling me my homepage has been changed. If I just close SWG (and ignore its message), my proper homepage loads. I'll post again when I'm sure this exe has done the trick. By the way, my about:blank has always bought up a blank white page - no text or graphics have ever appeared. The source code just reads <html> <html> or something similar. gazza

0

Spoke too soon... Painful too say, but it did reinstall itself after 24 hours. Ran the uninstall program again and it is gone, but will simply reinstall itself again. Oh well, using Mozilla is an option since the critter does not affect it.

0

Can I ask a question? Why is everyone so comfortable running an unknown "uninstaller" from... (forgive me if I am speaking incorrectly here) ...unfamiliar and unknown sites? There is such a thing as asking for trouble. Were you familiar with these sites, their reputations, and the utility before you downloaded it and ran it? Or did you just "see it somewhere" and let it rip? Kind of scary, don't you think? Especially since you downloaded it from what one of you professed to be a CWS page. Brave...foolish...but brave. Then again, so was trying to go to the moon. So NO, I am not ripping you guys, just a little surprised. Good Luck! Hope your mysterious "uninstall.exe" hasn't installed more trouble than its worth. Be careful all, its a jungle out there. AOSCLAY PEBKAC

0

PS: I did some checking around... I can find no indication or confirmation that the "removal" utility listed above is safe or legitimate. In fact, aside from one person touting its prowess across every secruity site they can find, I see very little evidence that it works. And I have no idea if it is safe. Yet. From another user elsewhere: "got some experts to check it out..... Basically ... It doesn't work It deletes the BHO ... but doesn't find the hidden file (reinstaller) in the AppInit_Dlls It cleans the filter key ... but leaves clsid's It cleans some browser pages ... but not others If anyone has the hidden reinstaller, it will only appear to fix it temporarily. some of the links on the uninstall page appear to be "iffy" ...I would not advise going there without your guard up, and all security settings on maximum" I agree. Use all caution if you decide to try it. Good luck AOSCLAY This is harder than it looks

0

For those people whose homepage keeps resetting to "about:blank" (CoolWeb Search) no matter what you do, you can screw around doing this and that with your registry looking for renegade .dll files (are you serious?), or you can do what I did. No guarantees, but it worked perfectly for me: 1)Download/upgrade "Ad-aware" to version 6 (check for the latest updates also). 2)Download and unzip "SmartKiller" CWS variant identifier freeware. 3)Download "CWShredder" with latest updates. 4)Disconnect from Internet, open IE, delete homepage address, enter yours, "apply", and close IE. 5)Run "SmartKiller" to determine which CWS variant you have. Hopefully one of the milder ones. That should give you a better idea of what you're up against. You should be able to eradicate milder variants without a lot of effort. 6)Run "CWShredder" to locate and eliminate CWS variant parasites. 7)Launch IE (off-line)and reset your home page address as required. If IE defaults to "about:blank", delete the address, enter your homepage address, "apply", close IE, and run a full Ad-aware6 sweep to remove any dead CWS remnants. Open IE off-line again and it should try to launch to your home page address. If not, reset your homepage address again, "apply", close it, and then reopen it (off-line), and it should try to launch to your page and indicate that it can't find it. At that point "about:blank" should be gone and you should be good to go. I've been running for 24 hours without any IE or system problems. Ad-aware 6 is very good at identfying and cleaning up CWS variants but it will not eliminate them from your system. I know, I tried four full sweeps but they still regenerated! I was going to try using "Spybot" but there was no reference to CWS variants or "about:blank" in their list of recognized agents. From what I read on their website, Spybot is not designed to remove hijack agents. I recommend that you update your IE with latest security updates and tighten your personal security settings. Good luck! What the ......?

0

Hi everybody! Thanks for all the ideas and comments posted about my problem with ABOUT:BLANK hijacking my home page. All replies are read and digested, but I have to report that after installing <http://s12ds2.ewizard.cc/uninstall.exe> into both Windows/System32 and the IE folder, and running it in each just to be sure, I have not had any further problems with IE straying from my default homepage - and it's now nearly a week! I decided to take the risk of it possibly being a 'suspect' file in itself - but what the hell else can you do when something so frustrating is bugging your life? Rich B. I'll keep your scheme in mind if about:blank returns. Has anybody thought about reporting the Coolwebsearch people to the international police for all the invasions of privacy they are causing? gazzapee :=]

0

I agree, I would be VERY wary of any exe file, whatever it claims to do, from a site which has already hijacked your browser. (Actually, forget wary, I wouldn't touch it with a bargepole!). Ad-Aware 6 is good, but I would also recommend anyone to upgrade to AdAware plus. You have to pay for it, but it's not too dear, and it includes AdWatch, which runs in the background like and anti-virus program, and blocks most popups and browser hijack attempts before they happen. It's not 100% effective, but it's pretty good. The other thing to check, if you're comfortable with it, is the Run setting in the registry. Browser hijacks quite often download a file to your Windows directory and set the registry to load it each time you start up. This file resets your IE settings back to Coolwebsearch (or wherever). It also often sounds like a legitimate windows file, to try to fool you. (MSDOS.exe is an example - there ain't no such windows file, but many people would be understandably wary about deleting it). And, depending on your version of Windows, I've found some that load files by editing the good old win.ini file that most people forget about these days. By the way, do you have a firewall? You may be able to configure it to block access to coolwebsearch, but you should also check that the uninstall program, having fixed the home page, isn't quietly sitting accessing the internet, passing information on or allowing somebody else in to your machine! Hope that helps.

0

Thankyou for your comments Callen. I have since run SmartKiller CWS variant identifier and CWShredder (as suggested by Rich B.) just to make sure and they both reported no current infestation by CWS. I am having NO trouble with my homepage changing so far. there's nothing unusual in win.ini. I am running XP's normal firewall in 'medium-high' mode, but have no third-party firewall on yet. When I find one that is easy-to-use (without having to have a degree in rocket-science), I will install one. gazzapee

0

Zone Alarm is a pretty easy-to-use windoze firewall. You can download the free version here: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_50_590_043.exe

0

Still no problems folks with home page changing now. Seems <http://s12ds2.ewizard.cc/uninstall.exe> did the trick. No other signs of any other intruders - all checking programs report clean. gazzapee

0

My first experience with this happend yesterday at a new clients site. Hardware: * Home made PC by someone that no longer works with them. * 2 Hard drives one with an FTS partitioned drive the other with NTFS. One HD has XP and the other with 2000. * Multi-boot menu for each of the above. Software/OS info: * Running XP OS without current updates/patches. * IE also not current with patches. * Ad- Ware - 6 on system but definitions out of date. Symptoms: When launching IE a pop-up to a background window at full screen. Shows "about:blank" in the Title Bar. System was operating at turtle speed. Every attempt at exiting the "about:blank" windows, there were several, nearly halting/hanging the entire PC. Suddenly there were 4 or 5 different applications on the desktop with fancy icons. One dealt with loans, another for XXX sites(porn) another for Pharmacy something or other, finally another one for Bargains something, I think. Looking at the properties of each Icon showed that, if activated, would launch to a URL, I will try to get this info. and post later. Problem is, is that this is a "very much needed PC for the client and difficult to document everything. (I'm still working on it, but think I got rid of it?) One of the worst symptoms was the inability to launch the Task Manager and abort anything. (Still have this symptom) Things I tried, (without prior knowledge of all these posts and others across the Internet); 1. Aborting IE windows, (no go, can't get Task Manager to launch) 2. Continuously hitting the X at top right of each window that seemed to be hanging; which, as I found out later was downloading some junk the PC. 3. Right clicking on the icons on the taskbar and choosing close. Was then getting the typical Abort dialog that you get when you end a task on some app. This enabled me to get to a normal desktop. 2. Running Add/Remove Programs and removing all unwanted software. 3. Searching the Registry for all instances of "about:blank" text. Found multiple entries. (I figured deleting them was going to cure my problem...NOT!). Then shutting down the system and rebooting so it would see the new registry. 4. No joy! :( 5. Booted to Safe Mode and re-ran Ad-Aware. Helped somewhat, rebooted. 6. Went immediately to the registry and removed the returning entries of "about:blank". Checked for any new programs in Add/Remove (none found). Checked the default Home page in IE and removed what shouldn't be there and put something else there. Rebooted again. Closing notes: This bugger is a real pain in the you know what!! All I could think of is why hasn't this company been shut down, and/or someone should storm there URL sites and any other sites that promote/push this stuff out. This is real crazy, and I can't even imagine any company that associates with them making any money from this. So it leads me to believe that the motive is much more sinister. At this point I am convinced it is a virus of a very serious nature. After a search for anything even remotely related at McAfee I found nothing; Keywords used: CWS, about:blank, CoolWebSearch, Cool. Anyway, this might get more professional recognition if we were to post it at the various Anti-Virus sites. My saga still continues and logic would have it that the information at this URL is and will be very helpful: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder We shall see, not that I don't trust the above source. I just think I have a variant of the original "about:blank" instance. Which may turn out to be a very serious problem. Not that it isn't already. : ( Anyway, sorry for the long post. If I don't get flamed for it : ) I'll report back on my findings soon. Good luck ya' all Gary

0

Why don't you email the websites of virus scanner companies? Me, I email them whenever a virus enter my computer, which happened 3 times. :) Expert™

0