Re: about: blank

From: Morisot (anonymous_at_discussions.microsoft.com)
Date: 08/03/04 

Date: Mon, 2 Aug 2004 19:21:51 -0700

Hi, Dwayne -

I got so aggravated by about:blank and, on top of it, got
Casino Palazzo.

I was ready to throw this computer into the ocean - I had
spent hours and hours trying to rid my machine of these
bloody trojan/spyware/viruses.

Things are much better now. Thanks to all the
people who help at sites like this and those people who
are putting out free programs to kill these things.

(Some important things I tried to resist doing in the
beginning: turning off "restore" ; turning of my modem ;
running in "safe" mode ; running Adaware and Norton AV
IMMEDIATELY AGAIN, right after I had run them )

A few things - to go along with the great advice
from people like Jupiter Jones, Shenan, Malke, etc. and
the sites they refer you to (And I've lost track of who
kept recommending "Stinger" from McAfee.)

(I thought I was doing just about EVERYTHING - and still
Spybot and Adaware were finding malware and possible
hijack attempts on every scan!) This now seems to have
worked for me:

RAN, and then UNINSTALLED Spybot and Adaware and
CWShredder, (all of which I had been running and generally
were finding things --- but every time I rebooted the
nasties came back!)

Downloaded Spybot and Adaware and
CWShredder "fresh". Immediately updated them. Also
downloaded Adaware(Lavasoft/merjin's) VX2 killer plug-in.

(Followed advice I had seen -seen more than once,
repeated by names I got to trust- in these forums for
setting these programs to deep scans.) Also set my
computer to "show hidden files."

Made sure I had the latest virus definitions for my Norton
AV.

Downloaded Stinger(McAfee) and followed the instructions.

Turned off RESTORE.

Shutdown my computer.

Turned off my modem.

Rebooted in safe mode.

Ran Stinger.

Ran CWShredder.

Ran Adaware(twice - deep scan)

Ran Norton AV (twice)

Ran Spybot Search and Destroy.

Rebooted. (Still off line)

Went into internet settings and deleted ALL cookies,
temporary files (INCLUDING checking the box for offline
content.) CLEARED THE INTERNET HISTORY and set the save
pages in history to zero. AND DID THIS FOR EVERY USER ON
MY XP COMPUTER.

I ran all of the above AGAIN.

Turned system RESTORE back on.

Rebooted.

Ran Spybot Search and Destroy (It sets a system restore
point when it is done.)

Things seem better. For me. For now.

.....but if you ever see a computer floating in the ocean,
you will know why!

M.

>-----Original Message-----
>Hi Dwayne - We've been seeing this a lot lately, and
these are very
>difficult CWS parasite variants to remove. Try Basic
Cleaning, below first
>and then if necessary Approach 1 and/or Approach 2 and/or
Approach 3 and/or
>Approach 4 and/or Approach 5.
>
>********Please post back with your results in detail if
possible - what you
>tried, what happened, how you ended up - so that we'll
know better what to
>advise others.********
>
>#########IMPORTANT#########
>Before you try to remove spyware using any of the
programs below, download
>both a copy of LSPFIX here:
>
>http://www.cexx.org/lspfix.htm
>
>AND a copy of Winsockfix
>http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
>The process of removing certain malware may kill your
internet connection.
>If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you
>to regain your connection.
>#########IMPORTANT#########
>
>
>Approach 1 - You can try AT YOUR OWN RISK, HSRemove,
free, here:
>http://www.hsremove.com/. "A few days ago I got
hijacked - Nothing new in
>that, except this time it was a real [censored] to get
rid of. - There were
>simply no tools available to remove this "Home Search"
thing. Finally I
>ended up creating my own tool for it. USE IT AT YOUR OWN
RISK. And if you
>find it helpful, then please do not hesitate to make a
contribution."
>
>
>Approach 2 - You can try this AT YOUR OWN RISK. I
normally wouldn't advise
>using a malware provider's uninstall, but this particular
approach has been
>reported to work if you have the about:blank CWS variant
(there appear to be
>at least three or four currently) which leads you to a
Search page. Paste
>the following IP into your browser:
>
>195.190.118.131
>
>On the screen you arrive at, you see a "Search For"
window, and below it a
>red "Uninstall Software". Download their uninstaller,
uninstall.exe. At this
>point I would either use TotalUninstall or make a
complete backup/Restore
>Point of my system for safety's sake (on the basis of "at
least keep what
>you've got"). Total Uninstall,
http://www.geocities.com/ggmartau/tu.html or
>direct dwnld here:
http://files.webattack.com/localdl834/tun234.zip
>
>Run this uninstall program that you downloaded from the
malware site, then
>UPDATE them and go to Safe mode to run UPDATED versions
CWShredder, AdAware
>and SpyBot per the directions in Basic, below.
>
>
>
>Approach 3 - Courtesy of "Win" (Win J. Moore) in
24hoursupport.helpdesk
>
>"I had a variant of this CWS.SearchX sucker for about 3
weeks, and I FINALLY
>seem to be rid of it for good! It is aka
Troj_StartPage.sp and
>BackDoor.Agent.BA. This is what I did:
>
>
>1. Run Regedit, and DELETE the following key:
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
>NT\CurrentVersion\Windows\AppInit_DLLs
>
>The value of this key may look blank for you, but it is
not. They hide the
>value so you can't see it. This registry key tells
Windows to load the
>Trojan DLL every time ANY application is run giving it
complete control to
>do whatever it wants. So you need to remove it so that
the Trojan DLL cannot
>load and keep re-infecting your PC. The way to remove the
registry key is
>not obvious. If you just delete it from RegEdit, since
the Trojan DLL is
>loaded, it will re-add it right back. (Try it. Delete the
AppInit_DLLs
>registry key and hit F5. Notice that it's added right
back by the Trojan).
>
>So what you have to do is the following which worked for
me (many thanks to
>"acomputerpro" at the SpywareInfo.com forums!)
>
>2. Rename the HLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows
>folder to Windows2.
>
>3. Now delete the AppInit_DLLs key under the Windows2
folder.
>
>4. Hit F5 and notice that AppInit_DLLs doesn't come back.
>
>5. Rename the Windows2 folder back to Windows. Now that
AppInit_DLLs is
>gone, run the latest AdAware 6 to remove the Trojan for
good.
>
>6. Reboot your machine, and check the registry and make
sure AppInit_DLLs is
>still gone.
>
>Your computer should be free of this for good now. Hope
it works for you...
>It seemed to do the trick for me!"
>
>
>
>
>Approach 4 - If you've already tried CWShredder to get
rid of this parasite
>(See below, v.159.0.1 or better and fully updated before
use), then take a
>look at this thread about manual removal of this parasite:
>
>http://www.akadia.com/services/about_blank_virus.html
>and this one:
http://www.daniweb.com/techtalkforums/thread5531.html
>and this one: http://computercops.biz/article-5199-
nested-0-0.html
>and this one: http://forum.aumha.org/viewtopic.php?t=6437
>
>
>Approach 5 - I don't usually recommend anything but
freeware that I've
>confidence in, but AT YOUR OWN RISK, not free ($29.95),
Adware Away, here:
>http://www.adwareaway.com/ claims to fix it
automatically, and a couple of
>users have reported success using it. I would backup my
system before using
>it, however - always try to "keep what you've got".
>
>
>
>
>Basic Cleaning - Note that this symptom often indicates
the possibility of
>other malware. You might want go to this page at Jim
Eshelman's site, here:
>http://aumha.org/a/noads.htm or here:
>http://inetexplorer.mvps.org/parasite.htm and wait a
little bit (be
>patient), while an analysis of a number of possible
parasites on your
>machine will be made to help you identify and remove
them. NOTE: You will
>need to disable Ad Blocking in Zone Alarm 3.x, if present
or any other Ad
>Blocking software which interferes with Java Scripting
for this scan to
>work. You should get a message between the two lines of
**** giving the
>results of the scan.
>
>
>#########IMPORTANT#########
>All of these removal tools should be run from Safe mode
when possible
>#########IMPORTANT#########
>
>For the general hijack case, the best way to start is to
get Ad-Aware 6.0,
>Build 181 or later, here:
http://www.lavasoftusa.com/support/download/.
>UPDATE and run this regularly to get rid of
most "spyware/hijackware" on
>your machine. If it has to fix things, be sure to re-boot
and rerun
>AdAware again and repeat this cycle until you get a clean
scan. The reason
>is that it may have to remove things which are
currently "in use" before it
>can then clean up others.
>
>Another excellent program for this purpose is SpyBot
Search and Destroy
>available here: http://security.kolla.de/
>SpyBot Support Forum here:
>http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
>using both normally. After UPDATING and fixing things
with SpyBot S&D, be
>sure to e-boot and rerun SpyBot again and repeat this
cycle until you get a
>clean "no red" scan. The reason is that SpyBot sometimes
has to remove
>things which are currently "in use" before it can then
clean up others.
>
>
>Note that sometimes you need to make a judgment call
about what these
>programs report as spyware. See here, for example:
>http://www.imilly.com/alexa.htm
>
>
>A currently common parasite is some malware called
CoolWebSearch. Do the
>following:
>
>Download, UPDATE before running, and run:
>http://209.133.47.200/~merijn/files/CWShredder.exe to
remove the parasite.
>Be sure to close all instances of IE and OE. You may also
get it here if
>that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
>
>There's a good tutorial about CWS and using CWShredder
here:
>http://www.bleepingcomputer.com/forums/index.php?
showtutorial=47#domain
>
>BE SURE that you get v.159.0.1 or later!
>
>You will need to show Hidden files first and then at the
end clear the
>malware garbage from your System Restore backups after
you've cleaned up.
>It's best to perform CWShredder (and most other malware
fixers too) from
>Safe mode and then reboot. AFTER cleaning things up, then
you can disable
>and then re-enable System Restore. See ******** below.
>
>The following links give instructions on how to do these
various functions:
>
>
>HOW TO Restart in Safe Mode
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001052409420406
>
>HOW TO Enable Hidden Files
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
002092715262339
>
>HOW TO Disable/Flush System Restore (do this at the end
AFTER cleaning or
>use the suggested procedure for XP at the ******'s)
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001111912274039
>(WinXP)
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001012513122239
>(WinME)
>
>
>
>Then download and run:
>http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg
to restore your
>tabs and remove any restrictions that the parasite has
put in place.
>
>Now download and run:
>http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to restore
>your search functions if they've been affected (as they
probably will have
>been).
>
>
>Be sure that you also download and install hotfix
Q816093, here:
>
>http://support.microsoft.com/?kbid=816093
>
>which blocks the exploit upon which this parasite family
depends.
>
>
>If they don't fix it then start here:
>
>Download HijackThis, free, here:
>http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a new
>fresh copy of HijackThis [and CWShredder also] - It's
UPDATED frequently.)
>You may also get it here if that link is blocked:
>http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>
>In Windows Explorer, click on Tools|Folder Options|View
and check "Show
>hidden files and folders" and uncheck "Hide protected
operating system
>files". (You may want to restore these when you're all
finished with
>HijackThis.)
>
>Unzip the downloaded HijackThis to any convenient folder,
start it then
>press Scan. Click on SaveLog when it's finished which
will create
>hijackthis.log. Now click the Config button, then Misc
Tools and click on
>Generate StartupList.log which will create Startuplist.txt
>
>Then go to one of the following forums:
>
>Spyware and Hijackware Removal Support, here:
>http://216.180.233.162/~swicom/forums/
>
>or Net-Integration here:
>http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
>or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
>
>Sign in, then copy and paste both files into a message
asking for
>assistance, Someone will answer with detailed
instructions for the removal
>of your parasite(s).
>
>
>*******
>ONLY IF you've successfully eliminated the malware, you
can now make a new,
>clean Restore Point and delete any previously saved
(possibly infected)
>ones. The following suggested approach is courtesy of
Gary Woodruff: For XP
>you can run a Disk Cleanup cycle and then look in the
More Options tab. The
>System Restore option removes all but the latest Restore
Point. If there
>hasn't been one made since the system was cleaned you
should manually create
>one before dumping the old possibly infected ones.
>*******
>
>
>Once you get this cleaned up, you might want to consider
installing the
>SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from
>happening in the future:
>
>http://www.javacoolsoftware.com/spywareblaster.html>=
(Prevents malware
>Active X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or
>memory load - but keep it UPDATED) The latest version as
of this writing
>will prevent installation or prevent the malware from
running if it is
>already installed, and it provides information and fixit-
links for a variety
>of parasites.
>
>http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to
>install malware) Keep it UPDATED. Both Very Highly
Recommended
>
>
>Finally, go to Windows Update and ensure that ALL
Critical updates are
>installed.
>
>
>
>--
>Please respond in the same thread.
>Regards, Jim Byrd, MS-MVP
>
>
>
>In news:973e01c478b5$263556a0$a601280a@phx.gbl,
>Dwayne <anonymous@discussions.microsoft.com> typed:
>> Some company, virus, trojan, or spyware has permenantly
>> made itself my internet explorer homepage using the
>> address about: blank. I have done just about everthing
I
>> know: deleted cookies, deleted temporary files, deleted
>> history; and nothing seems to work. Can somebody out
>> there help me?
>
>.
>