Guest Ez2k3 Posted August 15, 2004 Report Share Posted August 15, 2004 Which DLL file is the about:blank page located in? My friend clicked on ad that said: "You got spyware" (he was so stupid to belive it ), and now i got some kinda virus, and i want to remove it by my self...I guess i only open the DLL file then go to the directory where the HTML files are located, and then remove the code, and set in the new code i want in... But if anyone knows where i can find that file please reply. Quote Link to comment Share on other sites More sharing options...
silver_surfer Posted September 14, 2004 Report Share Posted September 14, 2004 Programs Needed: Reglite.exe (available at “ http://www.resplendence.com/download/reglite.exe ”) Microsoft Recovery Console (an option available on your Windows CD or root drive) run “X:i386winnt32.exe /cmdcons” where “X” is either CD drive letter or is “C” for your root. HiJackThis.exe (available at “ http://download.com.com/3000-2144-10227352.html”) There are two application extensions (.dll) files that Need to be deleted. One is hidden, one is detected with “HiJackThis.exe” 1) With “Reglite.exe” find name of hidden file: Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” The “value” window reveals the hidden file name. (mine was “hlpl.dll”, yours may be different!) In this example let’s call it “hidden.dll” 2) Rename the hidden file: Close Windows and reboot using “Windows Recovery Console” Go to “c:Windowssystem32” and do two things. Change file from read only by typing “attrib –r hidden.dll” Then rename it (I don’t know why, but this procedure did not work until I renamed it) type “rename hidden.dll nasty.dll” (and remember that “hidden.dll” is for this explanation only use the name you found earlier) Type “exit” and reboot to Windows. 3) Edit registry to remove hidden file Run “reglite.exe” again. Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” Delete the file in “value” window, the “size” window changes also. “Apply” changes and exit “reglite.exe” 4) Edit registry to remove the second file Run “HiJackThis.exe” and scan the registry. Check the boxes to remove the following entries: “R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated) R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank” (as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”. Finally delete the two .dlls (“hidden.dll” and “obvious.dll”). You should be running again. Be careful. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.