Re: about blank count.cc

From: blue_laser (anonymous_at_discussions.microsoft.com)
Date: 08/31/04 

Date: Mon, 30 Aug 2004 22:11:05 -0700

Thanks Jim for the details. I can see I have several
sleepless nights and restless days ahead. Will reply as
soon as I have fixed (or filed to fix) the b*%$rd. :)
>-----Original Message-----
>Hi Blue_Laser - Don't know if this is the one you had in
mind, but . . . .
>
>
>We've been seeing this a lot lately, and these are very
difficult CWS
>parasite variants to remove. Read ALL of this carefully
to begin with, then
>try About:Blank Specific and then Basic Cleaning, below
FIRST and then ONLY
>IF NECESSARY Approach 1 and/or Approach 2 and/or
Approach 3 and/or Approach
>4 and/or Approach 5 and/or Approach 6.
>
>********Please post back with your results in detail if
possible - what you
>tried, what happened, how you ended up - so that we'll
know better what to
>advise others.********
>
>#########IMPORTANT#########
>Before you try to remove spyware using any of the
programs below, download
>both a copy of LSPFIX here:
>
>http://www.cexx.org/lspfix.htm
>
>AND a copy of Winsockfix
>http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
>Directions here: http://www.tacktech.com/display.cfm?
ttid=257
>The process of removing certain malware may kill your
internet connection.
>If this should occur, these programs, LSPFIX and
WINSOCKFIX, will enable you
>to regain your connection.
>#########IMPORTANT#########
>
>
>Approach 1 - You can try AT YOUR OWN RISK, HSRemove,
free, here:
>http://www.hsremove.com/. "A few days ago I got
hijacked - Nothing new in
>that, except this time it was a real [censored] to get
rid of. - There were
>simply no tools available to remove this "Home Search"
thing. Finally I
>ended up creating my own tool for it. USE IT AT YOUR OWN
RISK. And if you
>find it helpful, then please do not hesitate to make a
contribution."
>
>
>Approach 2 - You can try this AT YOUR OWN RISK. I
normally wouldn't advise
>using a malware provider's uninstall, but this
particular approach has been
>reported to work ONLY IF you have the about:blank CWS
variant (there appear
>to be at least three or four currently) which leads you
to a Search page.
>Paste the following IP into your browser:
>
>195.190.118.131
>
>On the screen you arrive at, you see a "Search For"
window, and below it a
>red "Uninstall Software". Download their uninstaller,
uninstall.exe. At this
>point I would either use TotalUninstall or make a
complete backup/Restore
>Point of my system for safety's sake (on the basis
of "at least keep what
>you've got"). Total Uninstall,
http://www.geocities.com/ggmartau/tu.html or
>direct dwnld here:
http://files.webattack.com/localdl834/tun234.zip
>
>Run this uninstall program that you downloaded from the
malware site, then
>UPDATE them and go to Safe mode to run UPDATED versions
CWShredder, AdAware
>and SpyBot per the directions in Basic, below.
>
>
>
>Approach 3 - Courtesy of "Win" (Win J. Moore) in
24hoursupport.helpdesk
>
>"I had a variant of this CWS.SearchX sucker for about 3
weeks, and I FINALLY
>seem to be rid of it for good! It is aka
Troj_StartPage.sp and
>BackDoor.Agent.BA. This is what I did:
>
>
>1. Run Regedit, and DELETE the following key:
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
>NT\CurrentVersion\Windows\AppInit_DLLs
>
>The value of this key may look blank for you, but it is
not. They hide the
>value so you can't see it. This registry key tells
Windows to load the
>Trojan DLL every time ANY application is run giving it
complete control to
>do whatever it wants. So you need to remove it so that
the Trojan DLL cannot
>load and keep re-infecting your PC. The way to remove
the registry key is
>not obvious. If you just delete it from RegEdit, since
the Trojan DLL is
>loaded, it will re-add it right back. (Try it. Delete
the AppInit_DLLs
>registry key and hit F5. Notice that it's added right
back by the Trojan).
>
>So what you have to do is the following which worked for
me (many thanks to
>"acomputerpro" at the SpywareInfo.com forums!)
>
>2. Rename the HLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows
>folder to Windows2.
>
>3. Now delete the AppInit_DLLs key under the Windows2
folder.
>
>4. Hit F5 and notice that AppInit_DLLs doesn't come back.
>
>5. Rename the Windows2 folder back to Windows. Now that
AppInit_DLLs is
>gone, run the latest AdAware 6 to remove the Trojan for
good.
>
>6. Reboot your machine, and check the registry and make
sure AppInit_DLLs is
>still gone.
>
>Your computer should be free of this for good now. Hope
it works for you...
>It seemed to do the trick for me!"
>
>
>Approach 4 - If you've already tried CWShredder to get
rid of this parasite
>(See below, v.159.0.1 or better and fully updated before
use), then take a
>look at this thread about manual removal of this
parasite:
>
>http://www.akadia.com/services/about_blank_virus.html
>and this one:
http://www.daniweb.com/techtalkforums/thread5531.html
>and this one: http://computercops.biz/article-5199-
nested-0-0.html
>and this one: http://forum.aumha.org/viewtopic.php?
t=6437
>
>
>Approach 5 - I don't usually recommend anything but
freeware that I've
>confidence in, but AT YOUR OWN RISK, not free ($29.95),
Adware Away, here:
>http://www.adwareaway.com/ claims to fix it
automatically, and several users
>now have reported success using it. I would backup my
system before using
>it, however - always try to "keep what you've got".
>
>
>Approach 6 - It has been reported that the evaluation
version of Panda
>Software's Titanium Antivirus 2004, here:
>http://www.pandasoftware.com/register.asp?
CodigoProducto=13&TipoLead=2&TipoUsuario=1&Tipo=1&Ref=WW-
TIT4-DES&Idioma=2&Country=Us&sec=down
>will completely remove about:blank. I have not been
able to independently
>verify this yet, however, so this is AT YOUR OWN RISK.
You'll have to give
>them some information, and I expect you may want to
uncheck some of the
>"opt-in" boxes at the bottom just above and below the
send button.
>
>___________________________________
>
>
>About:Blank Specific
>
>See the procedures here:
http://www.pchell.com/support/onlythebest.shtml
>and especially here:
>http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp
>
>Download AboutBuster, here:
http://www.malwarebytes.biz/AboutBuster.zip or
>here: http://www.majorgeeks.com/download4289.html
Then, "First unzip all
>files from the zip folder to a folder or your desktop.
Start it and hit ok.
>Then hit update. A new screen should popup. On that
screen hit Check for
>Updates. If it sais it found an update hit Download
Updates. If it doesnt it
>will automatically tell you and exit. Now for the
scanning part. Hit start
>and then Ok. The program should start scanning. Then hit
exit and reboot.
>
>Once rebooted run About:Buster once more to make sure
everything is ok.
>The database will be updated very frequently so check
your versions once a
>day."
>
>
>
>Basic Cleaning - Note that this symptom often indicates
the possibility of
>other malware. You might want go to this page at Jim
Eshelman's site, here:
>http://aumha.org/a/noads.htm or here:
>http://inetexplorer.mvps.org/parasite.htm and wait a
little bit (be
>patient), while an analysis of a number of possible
parasites on your
>machine will be made to help you identify and remove
them. NOTE: You will
>need to disable Ad Blocking in Zone Alarm 3.x, if
present or any other Ad
>Blocking software which interferes with Java Scripting
for this scan to
>work. You should get a message between the two lines of
**** giving the
>results of the scan.
>
>
>#########IMPORTANT#########
>All of these removal tools should be run from Safe mode
when possible.
>Reboot and test if the malware is fixed after using each
tool.
>#########IMPORTANT#########
>
>
>Download sysclean.com , from Trend Micro, here:
>http://www.trendmicro.com/download/dcs.asp along with
the latest pattern
>file, here:
http://www.trendmicro.com/download/pattern.asp (You
might also
>want to get Art's updater, SYS-UP.Zip, here for future
updating of these:
>http://home.epix.net/~artnpeg/). Place them in a
dedicated folder after
>appropriate unzipping, and then run. (If you download
and use the updater
>from the beginning, it will handle downloading the other
files.)
>
>
>
>For the general hijack case, the best way to start is to
get Ad-Aware 6.0,
>Build 181 or later, here:
http://www.lavasoftusa.com/support/download/.
>UPDATE, set it up in accordance with this:
>http://forum.aumha.org/viewtopic.php?t=5877 and run this
regularly to get
>rid of most "spyware/hijackware" on your machine. If it
has to fix things,
>be sure to re-boot and rerun
>AdAware again and repeat this cycle until you get a
clean scan. The reason
>is that it may have to remove things which are
currently "in use" before it
>can then clean up others.
>
>Then, courtesy of NonSuch at Lockergnome, open Ad-aware
then click the gear
>wheel at the top and check these options to configure Ad-
aware for a
>customized scan:
>
>General> activate these: "Automatically save log-file"
and "Automatically
>quarantine objects prior to removal"
>
>Scanning > activate these: "Scan within archives", "Scan
active processes",
>"Scan registry", "Deep scan registry," "Scan my IE
Favorites for banned
>sites," and "Scan my Hosts file"
>
>Tweaks > Scanning Engine> activate this: "Unload
recognized processes during
>scanning."
>
>Tweaks > Cleaning Engine: activate these: "Automatically
try to unregister
>objects prior to deletion" and "Let Windows remove files
in use after
>reboot."
>
>Click "Proceed" to save your settings, then
click "Start." Make sure
>"Activate in-depth scan" is ticked green, then scan your
system. When the
>scan is finished, the screen will tell you if anything
has been found, click
>"Next." The bad files will be listed. Right click the
pane and click "Select
>all objects" - This will put a check mark in the box at
the side, click
>"Next" again and click "OK" at the prompt "# objects
will be removed.
>Continue?"
>
>
>Another excellent program for this purpose is SpyBot
Search and Destroy
>available here: http://security.kolla.de/ SpyBot
Support Forum here:
>http://www.net-integration.net/cgi-
bin/forums/ikonboard.cgi. I recommend
>using both normally. After UPDATING and fixing ONLY RED
things with SpyBot
>S&D, be sure to re-boot and rerun SpyBot again and
repeat this cycle until
>you get a clean "no red" scan. The reason is that
SpyBot sometimes has to
>remove things which are currently "in use" before it can
then clean up
>others.
>
>Note that sometimes you need to make a judgment call
about what these
>programs report as spyware. See here, for example:
>http://www.imilly.com/alexa.htm
>
>
>A currently common parasite is some malware called
CoolWebSearch. Do the
>following:
>
>Download, UPDATE before running, and run:
>http://209.133.47.200/~merijn/files/CWShredder.exe to
remove the parasite.
>Be sure to close all instances of IE and OE. You may
also get it here if
>that link is blocked:
http://www.zerosrealm.com/downloads/CWShredder.zip
>
>There's a good tutorial about CWS and using CWShredder
here:
>http://www.bleepingcomputer.com/forums/index.php?
showtutorial=47#domain
>
>BE SURE that you get v.159.0.1 or later!
>
>You will need to show Hidden files first and then at the
end clear the
>malware garbage from your System Restore backups after
you've cleaned up.
>It's best to perform CWShredder (and most other malware
fixers too) from
>Safe mode and then reboot. AFTER cleaning things up,
then you can disable
>and then re-enable System Restore. See ******** below.
>
>The following links give instructions on how to do these
various functions:
>
>
>HOW TO Restart in Safe Mode
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001052409420406
>
>HOW TO Enable Hidden Files
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2002092715262339
>
>HOW TO Disable/Flush System Restore (do this at the end
AFTER cleaning or
>use the suggested procedure for XP at the ******'s)
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001111912274039
>(WinXP)
>http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/
2001012513122239
>(WinME)
>
>
>
>Then download and run:
>http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg
to restore your
>tabs and remove any restrictions that the parasite has
put in place.
>
>Now download and run:
>http://www.kellys-korner-
xp.com/regs_edits/RestoreSearch2.REG to restore
>your search functions if they've been affected (as they
probably will have
>been).
>
>
>Be sure that you also download and install hotfix
Q816093, here:
>
>http://support.microsoft.com/?kbid=816093
>
>which blocks the exploit upon which this parasite family
depends.
>
>
>If they don't fix it then start here:
>
>Download HijackThis, free, here:
>http://209.133.47.200/~merijn/files/HijackThis.exe
(Always download a new
>fresh copy of HijackThis [and CWShredder also] - It's
UPDATED frequently.)
>You may also get it here if that link is blocked:
>http://www.majorgeeks.com/downloadget.php?
id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>
>In Windows Explorer, click on Tools|Folder Options|View
and check "Show
>hidden files and folders" and uncheck "Hide protected
operating system
>files". (You may want to restore these when you're all
finished with
>HijackThis.)
>
>Place HijackThis.exe or unzip HijackThis.zip into its
own dedicated folder
>at the root level such as C:\HijackThis (NOT in a Temp
folder or on your
>Desktop), reboot to Safe mode, start HT then press Scan.
Click on SaveLog
>when it's finished which will create hijackthis.log. Now
click the Config
>button, then Misc Tools and click on Generate
StartupList.log which will
>create Startuplist.txt
>
>
>Then go to one of the following forums:
>
>Spyware and Hijackware Removal Support, here:
>http://216.180.233.162/~swicom/forums/
>
>or Net-Integration here:
>http://www.net-integration.net/cgi-
bin/forum/ikonboard.cgi?
s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>
>or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
>
>Sign in, then copy and paste both files into a message
asking for
>assistance, Someone will answer with detailed
instructions for the removal
>of your parasite(s).
>
>
>*******
>ONLY IF you've successfully eliminated the malware, you
can now make a new,
>clean Restore Point and delete any previously saved
(possibly infected)
>ones. The following suggested approach is courtesy of
Gary Woodruff: For XP
>you can run a Disk Cleanup cycle and then look in the
More Options tab. The
>System Restore option removes all but the latest Restore
Point. If there
>hasn't been one made since the system was cleaned you
should manually create
>one before dumping the old possibly infected ones.
>*******
>
>
>Once you get this cleaned up, you might want to consider
installing the
>SpywareBlaster and SpywareGuard here to help prevent
this kind of thing from
>happening in the future:
>
>http://www.javacoolsoftware.com/spywareblaster.html>=
(Prevents malware
>Active X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or
>memory load - but keep it UPDATED) The latest version as
of this writing
>will prevent installation or prevent the malware from
running if it is
>already installed, and it provides information and fixit-
links for a variety
>of parasites.
>
>http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to
>install malware) Keep it UPDATED. Both Very Highly
Recommended
>
>
>Finally, go to Windows Update and ensure that ALL
Critical updates are
>installed.
>
>
>
>
>--
>Please respond in the same thread.
>Regards, Jim Byrd, MS-MVP
>
>
>
>In news:307901c48ed6$24598a90$a301280a@phx.gbl,
>blue_laser <anonymous@discussions.microsoft.com> typed:
>> Hi,
>>
>> I am close to becoming incoherent. The home page on my
>> IE6 is set to "about blank". However when I launch the
>> browser the page is full of javascript links that point
>> to a web site count.cc.
>> Can someone help me in getting rid of this problem.
Some
>> time ago I saw a post with how to remove this spyware
in
>> this forum. The post also mentioned that it is not an
>> easy problem to solve. I am not able to locate the
post.
>>
>> I am running Windows XP (Home, SP1)
>> Thanks for any help/pointers.
>
>.
>

Quantcast