About:Blank

MunkyHed

Please help guys, i've this annoying adware or spyware problem,
I've got xp pro installed sp1 with all the latest updates, zonealarm 5.0.590, AVG anti virus and spybot s&d.
Still every time i open a new internet explorer window my home page changes to about:blank and a few windows pop up offering me software to rid my computer of software. The pop ups have become more persistant today and its really bugging me.
Ran spybot to no avail a few times and avg finds nothing.
I've been reading other posts elsewhere on this matter and they're all on about hijack and outputting logs and stuff. Seems pretty complicated to get rid of this thing,
Please someone give me a quick fix!

Winters

Have you tried running ad-aware?

delly

Look for a file called msg118.dll or msg11*.dll

MunkyHed

Havent tried ad aware. I'll give it a shot in a minute.
No msg11*.dll files found on the drive

MunkyHed

Just downloaded, installed,updated and scanned my system with ad aware6. Restarted my machine, deleted all cookies, temp files. Launched ie and the bloody thing is still there. AAAAAAAAAAAAGGGHHHHH!:(

delly

Something like that is common enough these days, but for it not to appear on any of the ad/spy checkers is strange

What about the C:\WINDOWS\Downloaded Program Files folder?

Have you had a look at msconfig to see if theres anything strange?

MunkyHed

Nothin strange in downloaded files folder. Not confident enough to be messing with msconfig to be honest, but there arent any strange looking services on the list anyway.

Woden

not sure if this is relevant to this problem but try running cw shredder, its a small program just google it and you should get it

MunkyHed

Data really is god!!
Just downloaded the tiny shredder file and ran it. Reset my browser and everything seems to be fine! My eyes are hangin outta my head cos i've been at this for hours! Thanks guys!:D

Woden

/me does a victory dance

delly

one to note for the fixer diary

*nods in Dataisgod direction*

The Dr00g

Yep, CWShredder is a great little tool. Unfortunately it will not be updated again for quite some time, if ever, and browser hijacks have recently become a lot more tricky to remove and also more widespread.

Stay tuned to a good security site folks.

therecklessone

Judging by the fact that neither the Spybot or HijackThis websites have been accessible this afternoon, I'll take it that there's quite a few people in the same boat.

Took me four hours to get rid of the pesky bugger.

More info available at http://www.securiteam.com/securityreviews/5RP0L0UD5U.html or http://www.akadia.com/services/about_blank_virus.html

It also messes with notepad and I'm told MS Media Player.

seamus

This is why I don't use IE. Although my homepage is always set to about:blank in IE, so I wouldn't even notice it.

Anyone know if it's a patchable exploit?

MunkyHed

Hold the show one second here now though, after fixing the hijack virus the other night i went off to bed all content with the fix... Went yesterday to access a few mp3 files i had on my machine, they had mysteriously disappeared!
How the hell did this happen? Could it have been caused by the shredder program or ad aware?
My brother uses the same machine using a different user account (xp pro) but he says he definately didnt delete them and he said that some of his files that he downloaded are also gone!
Luckily i had a backup but my brother didnt (HA!) but nonetheless strange how it happened.
Don't know if any other files have been removed from the machine, i'll find out in time probably! Maybe the files were removed because i downloaded them while i had the virus and they got infected?
Any budding miss marples willing to investigate?

The Dr00g

I see no mention of actual virus or trojan names here... Do you know what you were infected with? Actually, I think you're still infected.

CWShredder, adaware, spybot, etc... All great, but none of them remove all of the hijack related trojans and virses.

Your antivirus software (let me guess, Norton something or other) will have been infiltrated by the virus/trojan. It needs to be uninstalled and re-installed/updated. But if I were you I'd just dump it in favour of a free copy of AVG (www.grisoft.com). Download and update it. Change the "complete test settings" to "test all extensions". Then scan all your drives.

Let us know what you find.

Cheers.

MunkyHed

Ya i've had AVG installed for ages and its well updated. All the extensions are being scanned but no virus being found. Well i shouldnt have used the word virus as it isnt actually one, not sure what you'd call it but a browser hijack. My machine is running perfectly now but its just that when i ran the shredder program it deleted those mp3 files. I have a gut feeling that this infection was sourced from something downloaded by my brother using winmx. never trusted that program and its time to get rid of it i think. (it sucks anyway!)

Ancient1

Just logged on to scream for help about the damn about:blank headwrecker -
what a surprise to see MunkyHead spelling it out word for word

Anyways, i got the same problem this morning.
Adaware and Spybot cannot detect this type of spyware, even though they ripped through several problems, my IE kept getting hijacked.

After messing around with a couple of programs, I installed the (Webroot) Spy Sweeper, seems like an excellent sweeper, except that it still hasnt managed to remove the About2020 (i think that's what the spyware is called).
Everytime i log on to a different webpage, Spy Sweeper alerts me if i want to keep my homepage or "default" to about:blank. So it's not gone, but it's being kept at bay.

I'll give the CWShredder a try. Cheers.

MunkyHed

Be careful of newly downloaded files (mp3s mpegs etc) they might just disappear!!! Back up like a mad thing!

Ancient1

What an unbelievable pain in the ass!!! :mad:

I have to use the CW Shredder every hour or so coz the IE keeps getting hijacked.

According to the links posted by therecklessone above, one spyware file can be deleted but the other one is hidden, so it has to be manually removed.
I'm no expert at this, but i'll have to give it a shot and try to remove the trojan myself using the little program from the link above (and i need to install the Win recovery console). If you dont hear from me by the end of the week it means my PC was subject to extreme physical violence :rolleyes:

irishgeo

Spyware Blaster from www.javacoolsoftware.com

It stops spyware junk from being installed.

Its great and it gets updated as well fairly regular.

Ancient1

MonkeyHed, how did you do it.........did you get rid of it completely?

I cant manage, dunno what i'm doing wrong. Is there a way of getting rid of it without having to mess with the Win Recovery Console?

fragile

Originally posted by Ancient1
I have to use the CW Shredder every hour or so coz the IE keeps getting hijacked.
......
If you dont hear from me by the end of the week it means my PC was subject to extreme physical violence :rolleyes:

"every hour" - "extreme physical violence"

FFS take a hint, its time to dump IE and move to Firefox or Opera..

It continually amazes me how much sh*t IE users will put up and still balk at the idea of using a different browser :rolleyes:

Ancient1

No you're right - i most probably will dump IE.

But it still bugs me...

Mac daddy

Originally posted by Ancient1
No you're right - i most probably will dump IE.

But it still bugs me...

Run hijackthis and post your log i will check it for you.

MunkyHed

MonkeyHed, how did you do it.........did you get rid of it completely?

Honestly ancient, havent a clue!! I think its gone completely as i've had no adverse effects. I think the root of this problem must be in its source. However this annoyance was contracted should be identified. It didnt come from nowhere, there must be some site/prog/application/cookie infecting the system. I just ran every program that was mentioned in this thread, deleted temp files/cookies, ran avg many times and eventually it stopped! I should really keep track of what i do!

Ancient1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MAINID~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MAINID~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MAINID~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MAINID~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MAINID~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MAINID~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Mac Daddy, here are 9 new/created registry files - i guess this is it.

The SpySweeper doesnt delete the files anymore, it just alerts me before the homepage is hijacked. The CW Shredder removes the file everytime, but it reappears. I guess the links above make sense, but i've never done this before & and i never had to use the recovery console either.

The Dr00g

I saw this pattern in conjunction with the backdoor.agent.ba trojan that only AVG could pick up at the time. I don't know if other anti-virus packages can detect it yet.

Download the latest AVG free edition and set it to scan all extensions. It should find an infected file in your windows\system32 (or system) folder with a .DLL extension. This trojan seems to generate random filenames for these DLL files. AVG won't be able to delete or quarentine the file. Just note the name of it, then see if you can find it through windows explorer (which should be set to "view all files"). You should be able to rename the file - Just change the extension .POO or something, then delete it.

Run CWShredder again, and adaware for good measure.

That should sort it.

Oh, and by the way... Not a lot of people know that.

Cabaal

Just a suggestion have you tried the Immunize option in spybot 1.3, its worth a shot and might stop IE being hi-jacked, other then that try using a better browser

milltown

Another infection here. I too was about to cry for help when I found this thread. What bothered me most about it was that it only started after running Live Update in Norton internet security.
AdAware and Spybot found nothing more than cookies so I'll have to try that CW shredder when I get home along with some ruthless registry deletions.
Do I really need to reinstall Norton after this? For a fairly expensive piece of software it seems odd that it can get infected by the very thing I bought it to protect against. Or does being a "Big Name" make it a target for virii and such?

The Dr00g

Oops! I forgot to mention something...

Some viruses and trojans make a point of hiding in special system recovery (AKA system restore) areas. This is common in XP. So always disable any system restore features (making sure all old restore info is wiped) until you are sure your PC is virus and trojan free. Then you can put your restore features back on.

For XP users:
Right-click "My Computer" and click on "Properties".
Click the "System Restore" tab.
Tick the "Turn off system restore" box.
Click "Apply", then click "Ok".

For ME users:
Right-click "My Computer" and click on "Properties".
Click the "Performance" tab.
Click the "File System" button.
Click the "Troubleshooting" tab.
Tick the "Disable system restore" box.
Click "Apply", then click "Ok".

In both cases just go through the steps above and untick the boxes when you are sure your machine is clean.

The Dr00g

Yup that's right milltown, Norton is a prime target coz it's a biggy. Having said that though, no anti-virus software is immune to such infiltration, just like no computer is totally immune to attack. No need to panic about it, just be reasonably vigilant. It's kinda like walking across the road; You never do know when you might be hit by a vehicle that doesn't do quite what you expect it to do. But... Se la vi!

Ancient1

Dr00g,

you're right, the AVG is very good - the only virus scanner that has so far detected the file, even though it could not delete it.
I did try renaming the extension of the file (in the registry), but it wouldn't let me. Finally managed to change the ext to jpeg(!!) and now it won't change back....

Anyways, then, after 10 days of trying to sort this out, my Norton update goes on and tells me it's found a virus...! No sh!t...I followed Symantec's instructions, went into safe mode, did another scan (after updating Norton's configuration etc) and it couldnt identify the file so i couldnt get rid of it.

Also, i found the file using reglite.exe, "deleted" it, but it's still there.

Either way, keep the ideas coming....
I will stop using IE, but i'm determined as hell to get rid of this.

therecklessone

Ancient 1, use the two links I gave you earlier or this one http://computercops.biz/article-5199-nested-0-0.html

That will solve it.

Windows Recovery Console is quite easy to use, just follow the instructions included in those links.

The Dr00g

I was able to rename the file quite easily. I just located it through windows explorer, renamed it, dragged it to the desktop and then deleted it. In that particular instance the file was named wingfcp.dll, but I found another person in a forum had an infected file called wincela.dll.

Tha AVG scan was the last action I performed on the machine after running adaware/spybot/cwshredder/hijackthis several times and every time ending up back at square one. So I tried the simplest of approaches (described here in paragraph one) as a last resort, and lo and behold... It worked. Dragging the file out of the system folder must be the trick.

Note: You MUST have a clean hijackthis list if you are to remain clean after deleting the file.

Do tell Ancient one, is it the backdoor.agent.ba trojan that you have, or is it a new strain?

Mac daddy

Ancient 1 were there no 017 - 018 entries in there, what way does your hijackthis look like now- ps delete you temp IE folder.

tibor

Originally posted by The Dr00g
Yup that's right milltown, Norton is a prime target coz it's a biggy. Having said that though, no anti-virus software is immune to such infiltration, just like no computer is totally immune to attack. No need to panic about it, just be reasonably vigilant. It's kinda like walking across the road; You never do know when you might be hit by a vehicle that doesn't do quite what you expect it to do. But... Se la vi!

Could you explain this infiltration process in a little more detail?

The Dr00g

Well I really wouldn't have time to get into all the finer technical details of how such a process works... But I can say this much - Usually what happens is the NEW virus gets a foothold on the net and spreads happily until all the anti-virus vendors catch up with it and add it to their virus databases. After that the virus only "gets lucky" when it finds a machine on which the anti-virus software hasn't been updated recently enough, or not at all. For example, you might not have connected your PC to the net for a week or so, then you go online and the first thing you do is read a backlog of email (which contains a nasty) or you go straight to your fav porn site (which now has a new trojan/hijacker on the front page). Meanwhile your anti-virus is downloading the latest updates in the background, but... Bingo! Something infects your PC before the update is complete.

The above is kinda beside the point... The point is, the first thing that the virus/trojan does is look at all the programs in memory and tries to identify specific program names from a list of known anti-virus programs. Sometimes the virus has the list built-in, sometimes it refers to a server (to which it may also send information about the unprotected computer). If it finds a recognised process it will then carry out a process of infiltration and/or elimination. This can result in your anti-virus software simply not loading any more, or it can result in a much more stealthy situation where it appears that your software is still working perfectly, when in fact it is not stopping ANY virus infection at all any more. When this situation is left to mature the result is often a machine infected with multiple virus/trojan/hijack types and strains, and in the worst case scenario the machine could be broadcasting its IP address to hackers IRC channels and hacker servers that need access to unsecured machines in order to carry out specific nasty hacker tasks.

You'll find more detailed info on most of the vendors websites, and yet more detail on the more popular security info sites. There are threads in this boards.ie area which provide links to such sites. You could do a lot worse than to have a browse through them.

Ancient1

Originally posted by The Dr00g
I was able to rename the file quite easily. I just located it through windows explorer, renamed it, dragged it to the desktop and then deleted it. In that particular instance the file was named wingfcp.dll, but I found another person in a forum had an infected file called wincela.dll.

Tha AVG scan was the last action I performed on the machine after running adaware/spybot/cwshredder/hijackthis several times and every time ending up back at square one. So I tried the simplest of approaches (described here in paragraph one) as a last resort, and lo and behold... It worked. Dragging the file out of the system folder must be the trick.

Note: You MUST have a clean hijackthis list if you are to remain clean after deleting the file.

Do tell Ancient one, is it the backdoor.agent.ba trojan that you have, or is it a new strain?

Dr00g - yes, it's the backdoor.agent.ba - Norton's (of all scanners) identified it by this name.

Havent had a chance to mess with this today, i'll get back to you guys tomorrow.

By the way, how can i be sure which files to get rid of in hijackthis. I understand it's a bit risky so i need to be sure.

ecksor

tibor wouldn't troll a virus poster would he ...

The Dr00g

Could you rephrase that ecksor?

Ancient1 - I just noticed there's a special removal tool for backdoor.agent.ba on the AVG site. Worth a try... It'll probably do what it says on the tin.

As for knowing which files/lines to delete with hijackthis, you either know or you don't, so you either delete or you don't. And as with all such scenarios, it's when you don't know is when you have to play Sherlock, and follow your nose and your gut, and above all, you use your nut. Elementary!

Show me your full hijackthis log after you've run the removal tool.

ecksor

Originally posted by The Dr00g
Could you rephrase that ecksor?

Of course I could.

tibor

Originally posted by The Dr00g
If it finds a recognised process it will then carry out a process of infiltration and/or elimination.

It's this infiltration I'm curious about. What exactly do you mean?

All I've ever seen, or heard, of is standard enumeration of processes(CreateToolhelp32Snapshot,Process32First,Process32Next) killing any(OpenProcess,TerminateProcess) whose name is found on a large list of security products known to the malware e.g. au.exe, AVprotect9x.exe, escanv95.exe, navw32.exe, kerio-pf-213-en-win.exe, zapro.exe, etc...

The Dr00g

Go suck an (easter) egg you malfunctioning gimp.

For those of you in the audience who manage to find a balance between having "a life" and enjoying a little "cyber fun", tibor (and his probably anomalous pal, ecksor) are what we "in the industry" loathingly refer to as "script kiddies", or perhaps worse; "trainee programmers". EEK! Then again, maybe they're undeserving of so high a rating, and they are just plain old everyday Muppets like the two old farts who sit up in the balcony and take the piss out of the real entertainers. No that's not quite it... Trolls! Of course! Actually, it's my opinion that they are a hideously ugly combination of all of the above. Yes, even the nice bits. Gawd! Pass the sick bag.

Script kiddie - A person, normally someone who is not technologically sophisticated, who randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else. A script kiddie is not looking to target specific information or a specific company but rather uses knowledge of a vulnerability to scan the entire Internet for a victim that possesses that vulnerability.

There! Trolling mission accomplished. [Note to ecksor - It was only your bad grammar that threw me off. Didn't quite cut the mustard did it? lol]

Mac daddy

Originally posted by Ancient1


By the way, how can i be sure which files to get rid of in hijackthis. I understand it's a bit risky so i need to be sure.

Read My monster of a post i have dissected it for you and made it easy.

If your still not sure pm me the entire log

tibor

haha, that made my day.

The Dr00g

As ever, I aim to please.

Any luck with that removal tool Ancient1???

ecksor

Uh, the Dr00g, don't blame me because you got caught with your knickers down explaining the "finer technical points". I wasn't even addressing you to begin with, I merely wondered why tibor would bother to ask you for information when its clear that you have nothing to teach him. Run back to "the industry" you inhabit if you want your superior sounding waffle to go unchecked and certainly don't start throwing names around.

The Dr00g

Knickers down! :eek: I'd say you'd like that alright. Well at least mine aren't in a twist. Must be a pinch on your b0llocks judging by the mood you seem to be in. And it was you who started throwing names around - Poor little tibor... Could you have called him a worse name? Troll?!!!

Ecksor, tell me where you get the idea that imparting useful information (regardless how basic) to a user who doesn't seem to know how to find that information him/herself, is nothing more than "superior sounding waffle" that shouldn't go unchecked? I wonder, is your admin status going to your head?

At least tibor seems to have a sense of humor about the whole thing. As for the script lingo... I hold my hands up, I'm not into scripting/programming etc. It's not necessary for the kind of work I do. So no ecksor, I'm sure I couldn't teach tibor anything on that subject. But he might benefit from some of my experience in other technical areas, as I might from his. Why not join in the exchange yourself, rather than merely playing tibors bitch (in this instance).

Waffle? Yes I do, frequently, but not always, and I enjoy it.

ecksor

Originally posted by The Dr00g
Ecksor, tell me where you get the idea that imparting useful information (regardless how basic) to a user who doesn't seem to know how to find that information him/herself, is nothing more than "superior sounding waffle" that shouldn't go unchecked?

I don't have that idea and it wasn't what I was referring to. Nor did I say that it shouldn't go unchecked, merely commenting that it hadn't gone unchecked and that you shouldn't complain when it was.

I wonder, is your admin status going to your head?

Well, I haven't banned you for your earlier rant despite your unprovoked name calling, what do you think?

Ancient1

Guys - stop arguing or the thread will get locked before i fix my problem

Mac Daddy - cheers for the link, sorry i havent spotted that thread earlier. I'll go through it now.

Dr00g i'll keep you posted.

Thanks again guys.