About:blank spyware

german.vera_at_gmail.com
Date: 12/20/04


Date: 19 Dec 2004 20:27:29 -0800

Hi,

My Internet explorer was recently 'infected' with spyware that turned
my homepage to "About:blank". I tried the usual spyware removal tools
without success.

Today I finally got rid of it, so I'd like to share what I know about
it (I did not keep track of all that I did, but I hope this brief
summary may help anyone with the same infection):

- Everything starts with an unauthorized installation of an Internet
Explorer toolbar or BHO (Browser Helper Object). After it was installed
I went to add/remove programs and uninstalled it. However, although the
toolbar disappeared, the BHO entry in the registry remained and some
exes and dlls.

- This spyware has two exe files (c:\winnt\system32\ntmw.exe and
c:\winnt\system\winen32.exe). They are added to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
RunOnce registry keys respectively. These exes apparently create dlls
with random names in C:\winnt (a new one is created when you get rid of
the 'current'). The 'current' dll is the BHO that creates the
Internet explorer registry entries for the homepage, searchpage and
others (in HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main). You will find the name of the current dll using
hijackThis or using Regedit and going the Internet Explorer/Main key.
The dll entries in the registry are of the form
res://c:\winnt\xxxxx.dll/sp.html#28129 (where xxxxx.dll is the name of
the library).

- The dlls appear to be COM objects (but not all the normal COM
registry keys are present, they can be unregistered with regsvr32 -u
), are hidden and the 'modified date' seems to be random. They are 55
kB in size.

- I used three tools from sysinternals.com to track and remove this:
pslist, pskill and regmon. Regmon keeps track of programs that access
the registry. If you track the Internet Explorer homepage key it seems
that Iexplore.exe is setting it to about:blank. The key to finding the
exes was to track a key in the registry that was next to the
InprocServer key for the dll called Data/MD (sorry I did not copy the
CLSID).

- To remove the spyware started Internet explorer, removed the entries
for the dll in the registry, killed the ntmw and then winen32
processes, deleted the exes and then removed the two entries for the
exes in the registry.

Two sites that are linked in the About:Blank page are
www.onemoresearch.net, www.rb37.com

I hope this helps.

Germán Vera



Relevant Pages

  • Re: VX2 - My Victory!
    ... I was having problem with an unknown VX2 spyware. ... it will call a DLL. ... >> I search the registry for these two files. ... I DID NOT RESTART THE COMPUTER. ...
    (microsoft.public.security.virus)
  • Re: VX2 - My Victory!
    ... I was having problem with an unknown VX2 spyware. ... it will call a DLL. ... >> I search the registry for these two files. ... I DID NOT RESTART THE COMPUTER. ...
    (microsoft.public.security.virus)
  • Re: VX2 - My Victory!
    ... I always found out that a really good way to get rid of crap like that is to ... I was having problem with an unknown VX2 spyware. ... > Of course, by my Volcan logic, this DLL must be the source of the spyware. ... > I search the registry for these two files. ...
    (microsoft.public.security.virus)
  • VX2 - My Victory!
    ... I was having problem with an unknown VX2 spyware. ... Of course, by my Volcan logic, this DLL must be the source of the spyware. ... I search the registry for these two files. ...
    (microsoft.public.security.virus)
  • Re: VX2 - My Victory!
    ... However I am interested as to why the VX2 Cleaner did not work for you. ... I was having problem with an unknown VX2 spyware. ... > Of course, by my Volcan logic, this DLL must be the source of the spyware. ... > I search the registry for these two files. ...
    (microsoft.public.security.virus)