Re: about: blank

From: cam (anonymous_at_discussions.microsoft.com)
Date: 08/06/04 

Date: Thu, 5 Aug 2004 15:44:47 -0700

thanks people,I used ad away once and about:blank was
elliminated from my browser!! Keep up the good work.. cam
>-----Original Message-----
>Hi Dwayne - We've been seeing this a lot lately, and
these are very
>difficult CWS parasite variants to remove. Try Basic
Cleaning, below first
>and then if necessary Approach 1 and/or Approach 2 and/or
Approach 3 and/or
>Approach 4 and/or Approach 5.
>
>********Please post back with your results in detail if
possible - what you
>tried, what happened, how you ended up - so that we'll
know better what to
>advise others.********
>
>#########IMPORTANT#########
>Before you try to remove spyware using any of the
programs below, download
>both a copy of LSPFIX here:
>
>http://www.cexx.org/lspfix.htm
>
>AND a copy of Winsockfix
>http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
>The process of removing certain malware may kill your
internet connection.
>If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you
>to regain your connection.
>#########IMPORTANT#########
>
>
>Approach 1 - You can try AT YOUR OWN RISK, HSRemove,
free, here:
>http://www.hsremove.com/. "A few days ago I got
hijacked - Nothing new in
>that, except this time it was a real [censored] to get
rid of. - There were
>simply no tools available to remove this "Home Search"
thing. Finally I
>ended up creating my own tool for it. USE IT AT YOUR OWN
RISK. And if you
>find it helpful, then please do not hesitate to make a
contribution."
>
>
>Approach 2 - You can try this AT YOUR OWN RISK. I
normally wouldn't advise
>using a malware provider's uninstall, but this particular
approach has been
>reported to work if you have the about:blank CWS variant
(there appear to be
>at least three or four currently) which leads you to a
Search page. Paste
>the following IP into your browser:
>
>195.190.118.131
>
>On the screen you arrive at, you see a "Search For"
window, and below it a
>red "Uninstall Software". Download their uninstaller,
uninstall.exe. At this
>point I would either use TotalUninstall or make a
complete backup/Restore
>Point of my system for safety's sake (on the basis of "at
least keep what
>you've got"). Total Uninstall,
http://www.geocities.com/ggmartau/tu.html or
>direct dwnld here:
http://files.webattack.com/localdl834/tun234.zip
>
>Run this uninstall program that you downloaded from the
malware site, then
>UPDATE them and go to Safe mode to run UPDATED versions
CWShredder, AdAware
>and SpyBot per the directions in Basic, below.
>
>
>
>Approach 3 - Courtesy of "Win" (Win J. Moore) in
24hoursupport.helpdesk
>
>"I had a variant of this CWS.SearchX sucker for about 3
weeks, and I FINALLY
>seem to be rid of it for good! It is aka
Troj_StartPage.sp and
>BackDoor.Agent.BA. This is what I did:
>
>
>1. Run Regedit, and DELETE the following key:
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
>NT\CurrentVersion\Windows\AppInit_DLLs
>
>The value of this key may look blank for you, but it is
not. They hide the
>value so you can't see it. This registry key tells
Windows to load the
>Trojan DLL every time ANY application is run giving it
complete control to
>do whatever it wants. So you need to remove it so that
the Trojan DLL cannot
>load and keep re-infecting your PC. The way to remove the
registry key is
>not obvious. If you just delete it from RegEdit, since
the Trojan DLL is
>loaded, it will re-add it right back. (Try it. Delete the
AppInit_DLLs
>registry key and hit F5. Notice that it's added right
back by the Trojan).
>
>So what you have to do is the following which worked for
me (many thanks to
>"acomputerpro" at the SpywareInfo.com forums!)
>
>2. Rename the HLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows
>folder to Windows2.
>
>3. Now delete the AppInit_DLLs key under the Windows2
folder.
>
>4. Hit F5 and notice that AppInit_DLLs doesn't come back.
>
>5. Rename the Windows2 folder back to Windows. Now that
AppInit_DLLs is
>gone, run the latest AdAware 6 to remove the Trojan for
good.
>
>6. Reboot your machine, and check the registry and make
sure AppInit_DLLs is
>still gone.
>
>Your computer should be free of this for good now. Hope
it works for you...
>It seemed to do the trick for me!"
>
>
>
>
>Approach 4 - If you've already tried CWShredder to get
rid of this parasite
>(See below, v.159.0.1 or better and fully updated before
use), then take a
>look at this thread about manual removal of this parasite:
>
>http://www.akadia.com/services/about_blank_virus.html
>and this one:
http://www.daniweb.com/techtalkforums/thread5531.html
>and this one: http://computercops.biz/article-5199-
nested-0-0.html
>and this one: http://forum.aumha.org/viewtopic.php?t=6437
>
>
>Approach 5 - I don't usually recommend anything but
freeware that I've
>confidence in, but AT YOUR OWN RISK, not free ($29.95),
Adware Away, here:
>http://www.adwareaway.com/ claims to fix it
automatically, and a couple of
>users have reported success using it. I would backup my
system before using
>it, however - always try to "keep what you've got".
>
>
>
>
>Basic Cleaning - Note that this symptom often indicates
the possibility of
>other malware. You might want go to this page at Jim
Eshelman's site, here:
>http://aumha.org/a/noads.htm or here:
>http://inetexplorer.mvps.org/parasite.htm and wait a
little bit (be
>patient), while an analysis of a number of possible
parasites on your
>machine will be made to help you identify and remove
them. NOTE: You will
>need to disable Ad Blocking in Zone Alarm 3.x, if present
or any other Ad
>Blocking software which interferes with Java Scripting
for this scan to
>work. You should get a message between the two lines of
**** giving the
>results of the scan.
>
>
>#########IMPORTANT#########
>All of these removal tools should be run from Safe mode
when possible
>#########IMPORTANT#########
>
>For the general hijack case, the best way to start is to
get Ad-Aware 6.0,
>Build 181 or later, here:
http://www.lavasoftusa.com/support/download/.
>UPDATE and run this regularly to get rid of
most "spyware/hijackware" on
>your machine. If it has to fix things, be sure to re-boot
and rerun
>AdAware again and repeat this cycle until you get a clean
scan. The reason
>is that it may have to remove things which are
currently "in use" before it
>can then clean up others.
>
>Another excellent program for this purpose is SpyBot
Search and Destroy
>available here: http://security.kolla.de/
>SpyBot Support Forum here:
>http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
>using both normally. After UPDATING and fixing things
with SpyBot S&D, be
>sure to e-boot and rerun SpyBot again and repeat this
cycle until you get a
>clean "no red" scan. The reason is that SpyBot sometimes
has to remove
>things which are currently "in use" before it can then
clean up others.
>
>
>Note that sometimes you need to make a judgment call
about what these
>programs report as spyware. See here, for example:
>http://www.imilly.com/alexa.htm
>
>
>A currently common parasite is some malware called
CoolWebSearch. Do the
>following:
>
>Download, UPDATE before running, and run:
>http://209.133.47.200/~merijn/files/CWShredder.exe to
remove the parasite.
>Be sure to close all instances of IE and OE. You may also
get it here if
>that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
>
>There's a good tutorial about CWS and using CWShredder
here:
>http://www.bleepingcomputer.com/forums/index.php?
showtutorial=47#domain
>
>BE SURE that you get v.159.0.1 or later!
>
>You will need to show Hidden files first and then at the
end clear the
>malware garbage from your System Restore backups after
you've cleaned up.
>It's best to perform CWShredder (and most other malware
fixers too) from
>Safe mode and then reboot. AFTER cleaning things up, then
you can disable
>and then re-enable System Restore. See ******** below.
>
>The following links give instructions on how to do these
various functions:
>
>
>HOW TO Restart in Safe Mode
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001052409420406
>
>HOW TO Enable Hidden Files
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
002092715262339
>
>HOW TO Disable/Flush System Restore (do this at the end
AFTER cleaning or
>use the suggested procedure for XP at the ******'s)
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001111912274039
>(WinXP)
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2
001012513122239
>(WinME)
>
>
>
>Then download and run:
>http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg
to restore your
>tabs and remove any restrictions that the parasite has
put in place.
>
>Now download and run:
>http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to restore
>your search functions if they've been affected (as they
probably will have
>been).
>
>
>Be sure that you also download and install hotfix
Q816093, here:
>
>http://support.microsoft.com/?kbid=816093
>
>which blocks the exploit upon which this parasite family
depends.
>
>
>If they don't fix it then start here:
>
>Download HijackThis, free, here:
>http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a new
>fresh copy of HijackThis [and CWShredder also] - It's
UPDATED frequently.)
>You may also get it here if that link is blocked:
>http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>
>In Windows Explorer, click on Tools|Folder Options|View
and check "Show
>hidden files and folders" and uncheck "Hide protected
operating system
>files". (You may want to restore these when you're all
finished with
>HijackThis.)
>
>Unzip the downloaded HijackThis to any convenient folder,
start it then
>press Scan. Click on SaveLog when it's finished which
will create
>hijackthis.log. Now click the Config button, then Misc
Tools and click on
>Generate StartupList.log which will create Startuplist.txt
>
>Then go to one of the following forums:
>
>Spyware and Hijackware Removal Support, here:
>http://216.180.233.162/~swicom/forums/
>
>or Net-Integration here:
>http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
>or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
>
>Sign in, then copy and paste both files into a message
asking for
>assistance, Someone will answer with detailed
instructions for the removal
>of your parasite(s).
>
>
>*******
>ONLY IF you've successfully eliminated the malware, you
can now make a new,
>clean Restore Point and delete any previously saved
(possibly infected)
>ones. The following suggested approach is courtesy of
Gary Woodruff: For XP
>you can run a Disk Cleanup cycle and then look in the
More Options tab. The
>System Restore option removes all but the latest Restore
Point. If there
>hasn't been one made since the system was cleaned you
should manually create
>one before dumping the old possibly infected ones.
>*******
>
>
>Once you get this cleaned up, you might want to consider
installing the
>SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from
>happening in the future:
>
>http://www.javacoolsoftware.com/spywareblaster.html>=
(Prevents malware
>Active X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or
>memory load - but keep it UPDATED) The latest version as
of this writing
>will prevent installation or prevent the malware from
running if it is
>already installed, and it provides information and fixit-
links for a variety
>of parasites.
>
>http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to
>install malware) Keep it UPDATED. Both Very Highly
Recommended
>
>
>Finally, go to Windows Update and ensure that ALL
Critical updates are
>installed.
>
>
>
>--
>Please respond in the same thread.
>Regards, Jim Byrd, MS-MVP
>
>
>
>In news:973e01c478b5$263556a0$a601280a@phx.gbl,
>Dwayne <anonymous@discussions.microsoft.com> typed:
>> Some company, virus, trojan, or spyware has permenantly
>> made itself my internet explorer homepage using the
>> address about: blank. I have done just about everthing
I
>> know: deleted cookies, deleted temporary files, deleted
>> history; and nothing seems to work. Can somebody out
>> there help me?
>
>.
>

Quantcast