I run Windows 2000 XP in danish. Maybee the bug has another name in XP-enviroments. I renamed a file called "pjjogha.dll" (36 kb) to "oldpjjogha.dll",reset my default page, restarted the computer - and that solved the problem. What gave me the tip was Jefferys instructions (thanks Jeffery), and the fact that it was a "dll" file, and it was changed on the same date and time, as the problem began. Goood luck everybody! Rix - Denmark

I have the same problem eith the 36 kb dll file. I have cleaned the registry and removed the 36 kb dll file and low and behold another 36 kb file gets created automatically. There is something else on my system generating this 36 kb dll file from time to time. I don't even have to be surfing the web for it to be generated. Also the 36 kb dll file always has a different name. Any Idea's? Tiger Fred - Hawaii

Hey Tiger Fred.... I've been having the same problems. Here is my analysis of the whole situation: There is an application running on my laptop that installs a BHO (browser helper object) in my registry with each browser activity. This also installs a randomly named DLL in my c:\windows\system32 folder that is 36KB in file size. Viewing this DLL in wordpad reveals it is the about:blank hijack. I have run the following anti-spy ware products: Ad-Aware 6 Professional (updated) - NOTHING HiJack This - NOTHING UNUSUAL CWShredder - NOTHING Norton Antivirus Corporate - NOTHING Spy Ware Blaster - NOTHING Spybot Search & Destroy - NOTHING So i am completely unable to remove the cause of this problem. I am however able to remove the result by using Ad-Aware Ad-Watch, and a tool called SpyWare Guard. However, they both popup every time I open IE or Outlook and inform me that it is trying to install new BHO's, DLLs, and homepage hijacks. I also have to rename the DLL to *.sav every time. Very annoying. Any help would be greatly appreciated. Shane - Toronto Canada

I have the same problem. I have tried some antivirus softwares. But they could not find anything!?? Someone is HiJacking our computers. We should format the hard drive and do the clean installation of the OS. Save your data on cd or disk. If you use DSL, be careful, someone can copy all of the data from your computer in minutes.

Hey Everyone, thanks for all the responces because it lead me to a solution that has worked. System = XP service pak 1 Like everyone here my home page kept being reset to about:blank and there was a search page that would startup. I took everyone advice by first running spybot spyware detector, then I ran ad aware. Neither of which found the problem (But they both did find numerous other spyware application) I tried removing the about:blank in the registry as described above(this worked until I rebooted and I was back to having about:blank as the home page) Finally I took shanes advice and I did a search on C:\winnt\system32 for *.dll over 39KB (the actual size is 36KB, but you need to set a higher threshhold), that where less then 1 week old. I found the DLL qkajk.dll and I renamed it qkajk.old. After that I reset my home page and rebooted my system. After that everything has been good to go. hope this help everyone PJ PJINLA_OK

i had the same problem with ABOUT:BLANK in my case it was file "C:\winnt\system32\bdd.dll" 36kb i had boot up in safe mode, renamed file and then deleted all registry entry with bdd.dll now seems to be okay

I am also having trouble with home page hijacking as of about 4 days ago. I am in France running Windows ME in French. Ad-ware freeware version finds nothing. I have searched all of C: for the suspicious .dll files by date and by size but find nothing that is not associated with a known product (Panda virus scan which couldn't run to completion). Anyone got any suggestions for ME other than a complete reinstallation ?(which would cause me to lose the programs for which I can no longer find the CDs lost after many moves) Thanks, Judy (PS where does about:blank come from?)

DLL name are randomly created by main driver that hidden in registry with ligit name such as MSN, or HP.., or msicrosoft, etc, so hard to delete by myself (rookie.. or rest of us) I just renamed 36KB DLL that created on 2-3 days old range(in my case 5 of them) to .OLD. no more hijack after. Steve

The recipe for riding yourself of about:blank search hijacker is as follows. There are two malicious .dll files on you computer. One is visible and can be easily deleted. The other is HIDDEN. The hidden .dll regenerates the viewable .dll if it is deleted or changed. The hidden file is the problem. To rid your self of the hidden .dll, which is the core of the problem, do the following. Download three free programs and install them. 1. Taskinfo 2. Killbox 3. CWSShredder http://www.iarsn.com/taskinfo.html (trial version works for this) http://download.broadbandmedic.com/VbStuff/KillBox.zip http://www.spywareinfo.com/~merijn/downloads.html Open Internet Explorer with the about:blank page. Then open taskinfo program. Look for “Internet Explorer” on the left side and highlight it. On the right side, open the “Modules” tab. You will see a list of .dll files. Sort the files by Company. You should see a few .dll files that don't belong to any company or don’t have any description. In the list should be both the malicious secondary .dll that is generated by the malicious core .dll AND the malicious core dll. Again, they should not have any legitimate company name or description. Run CWSShredder. It will delete the secondary .dll that is generated by the hidden core .dll and all associated registry entries. Run Killbox. In the "Paste Full Path of File to Delete" box, copy and paste the following: c:\windows\system32\(whatever your identified core filename is).dll Note: One will not find the malicious core .dll if one searches for it using windows explorer or the file search engine. It is hidden. IMPORTANT: Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so. After reboot, use the Taskinfo program again to check to see if the identified malicious .dlls are gone. Don’t forget to open Internet Explorer to do this. Run CWSShredder again and/or updated ADWARE program to remove remaining garbage. DONE!

About:blank is still driving me nuts! I have located the created .dll and deleted it three days in a row. A new one gets created each time. I tried the suggestion of Taskinfo, but a "core" hiddlen .dll was not revealed. I'm still looking for ideas. Something keeps creating a different .dll and it seems to be connected with each new day. I reset my OS calendar to a day ahead and it created a .dll as if it was "the next day". Suggestions?

I ran into this problem today (about:blank). I use AdWare and SpyBot on my XP system, both failed to resolve the problem. Spybot found the BHO entries, but changing them failed, as everytime IE was started the entries would revert back. Changing the registry directly also failed, as it would revert back everytime IE was started. Creating an new user, logging in w/ that account, and then immediately checking the registry (for IE/Main) showed the default entries. After starting IE, the entries changed to about:blank (along with some other very long strings starting with "res:"). Checking for all the new files listed or touched the day of the problem showed a suspicious dll (make sure to include hidden and system directories). In my case it was named cnfld.dll in %systemroot%\system32 directory. Deleting this resolved the problem (for now). The two posts above are worrisome, as hidden files are a pain. In addition to the tools listed above, sysinternals.com have some excellent tools for tracking problems. I imagine that their filemon or regmon utils would be able to track the offending procs/files. On a broader note, locking down a Windows systems (surfing as a non-admin account, not allowing anyone but admin to write to the %systemroot% and registry (besides HKCU), etc. would cut down on these spyware and virus problems (the trade-off being less flexibility for general users and having to switch to admin to install anything...). Another solution would be dumping Windows altogehter and running a "real" OS, like Linux :)

DO NOT REFORMAT YOUR COMPUTER! First if it keeps coming back, it is probably in System Restore so do the following: Delete temp, temp internet files and history. Turn off system Restore. Rerun Hijack This and remove any of the entries that you see already mentioned above. REPAIR IE: Click start, cursor up to settings, then click control panel. Next, click add/remove programs. Scroll down to "Microsoft Internet Explorer& Tools..". Highlight it, then click add/remove. (((Have no fear, this will NOT remove your browser! ))) A box pops up, with the option to repair. Select it, and allow it to run it's course. Reboot. When finished, Turn system Restore back on. __________________ JIM 5875

Hey Everyone! I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again. Finally I found the proper way to get rid of this virus. The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program: http://www.resplendence.com/download/reglite.exe Open reglite and paste this value in the address bar: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Then double click: AppInit_DLLs You should be able to see a file with this address: C:\Windows\System32\"Hidden".dll Clean your system with all the previous anti-virus programs. Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file. Reboot your system and open reglite again, go back to the same key: AppInit_DLLs, Now delete the value. That should do the trick

Also among the afflicted. In my case, it has been since 3/29/04. I have identified the offending DLL but cannot rid myself of the hidden one. David, I notice the remedy you posted applies to WINNT, is there a Home XP solution? Have tried them all. HELP Thanks

Hi Lorrie, The fix that I posted is actually for Windows XP, just follow the directions and you will find the hidden DLL.

Dave, i tried your method and found the hidden dll wih registrar, but when i look in system32 for the dll it is not there, only the non hidden one. i have show hidden files enabled. any ideas?

Lorrie, the hidden file will not show unless you are in DOS prompt, you will have to access DOS through the windows xp console, or by using a bootup disk, then you will have to rename the file, after that you should reboot and go back to reglite to erase the registry reference.

Dave, the hidden file is not showing up in the command prompt either. I am stumped. what exactly do you mean by windows xp console? i am using the command prompt which can be found in accesories in the start menu, is this correct?

Dave, REGLITE/REGISTRAR shows the hidden file for me to be msa.dll. For those who don't understand "Windows console" or "DOS console" in XP, go to START, RUN, key in the command COMMAND.COM and you are in DOS mode. Dave, from here I navigate to C:\WINDOWS\SYSTEM32, do a DIR |MORE and look and do not see msa.dll. From here I tried to DEL msa.dll and get "COULD NOT FIND C:\WINDOWS\SYSTEM32|msa.dll". I noticed that after entering the registry key in the REGLITE address bar and clicking "go" the description that pops up below the address says, "Configuration data used by 16-bit Windows 3.x applications running on Windows 2000 and earlier." I am XP as you said you were. Is this the correct registry key for XP? If so, I get different results. REGLITE shows me msa.dll, but I cannot find it in DOS mode in WINDOWS\SYSTEM32. Any suggestions?

The "console window" that people are referring to means the Windows Recovery Console, not the plain DOS prompt you can find in your START menu... here's how you can access this console: (X = your CD Drive) 1. Pop in the Win2000/WinXP CD. 2. Run X:\i386\winnt32.exe /cmdcons 3. A dialog comes up saying it takes 10mb, etc., etc. - Click yes to install. If you already see the boot menu you're done. If you don't then lets make it appear. Right Click My Computer Click Properties Click advanced tab Click startup and Recovery Settings Check Time to Display List of Operating Systems Set the timeout to something reasonable like 10 seconds Apply the settings, reboot, and you should see the new option to go into the recovery console. ...Anyway, once you've got that thing fired up (BTW--you'll need the Administrator password for your computer to access the console), you can use Dave's message from May 03, 2004 at 10:23:37 Pacific to wipe this thing out. On a personal note, I just went through the same crap everyone else has gone through with this hijack, and I would love to give a permanent limp to the author of said annoyance. Good luck everyone!

Good people, I followed Jim's advice (response 18) to the letter and it appears to have worked a charm. I downloaded HijackThis from the 'net, ran the scan, examined each of the classes of file (for my own benefit/curiosity, comfort and edification), identified a common "kob.dll/sp.html" file in the registry (R1 and R0 classes) unattributed to any known software (as warned about above) - and, in fact, labelled "(obfuscated)", located a dreaded "\Main,Homeoldsp = about:blank" (an R1 class registry file) and a further 02 class - BHO: "...C:\Windows\System32\kob.dll" file. I used the HijackThis "Fix" key which (I think) just deleted them and then closed HijackThis and rebooted. No more about:blank! Great. Reset system restore and, I think, we're now OK. However, I do have a firmware firewall through a router which I installed just after the sasser.worm busines started and I think just too late to stop this about:blank nonesense getting in. Who knows - maybe I'll boot up tomorrow and there it will be. C'est la vie! Finally, thanks again Jim 5875. Bob

Good People II I forgot to mention that I also removed IE through the Control Panel/Add/Remove Programs. As I have XP it was not exactly as Jim described it. In my case it removed the version I had installed and re-installed a previous version (how it did that with "system restore" switched off is beyond me). Any hoo, it all worked and when I went back to Windows Update it recognised that I no longer had the most up-to-date version of IE6.0 and re-intalled what I'd deleted. How good is that...? Bob

I was half way thru typing my novice, half-assed, but effective solution to the about:blank hijack, but I then realized the low life that created it would find my post and make it smarter than it already is. If you can prove yourself somehow to be a legitimate victim of this nuisance I will send you the details. it's me