about:blank search spyware

Gentlemen,

i've been a pc service technician for many years and finally come across a piece of spyware i can not kill. I call it the "about:blank" spyware. Essentially, it is a piece of spyware that changes your homepage to about:blank and overwrites the about:blank file to a search page with search links art, cars, this that and the other thing. From spyware experience i have traced back the ip address of the about:blank page and translated it to a homepage. when i go to the home page there is a dark blue background with a search input box and a go button. below that there is a link to an .exe file that says uninstall software. When i download and execute, the file runs in a command prompt box from my windows XP and i can not see any text at all and it goes away in a split second. i restart the computer and everything is working normally until about 5 minutes after i browse the internet it jumped back. i've used Ad-Aware/Ad-Watch, Spybot search and destroy/system tray icon, hijackthis, and still nothing. if anyone had some experience with this i'd appreciate the know how. remember i have done many things and the obvious remedies like, registry edits and uninstalls are not goin to help me cause i have already done most. But if you think you can enlighten me please feel free to do so.

Pudini

 

Run the latest CWShredder, v1.59.1, then post a HijackThis log and I will try to link you to the appropriate fix.

 

Pudini--I suspect if you do a search here for About:Blank, you will find several detailed discussions.
This is part of the CoolWebSearch family. HiJackThis should indicate some of the entries causing the problem, though the word About:Blank may not be shown. The author of HiJackThis discusses some of the variations here
http://www.spywareinfo.com/~merijn/cwschronicles.html
That site loads very slowly. I think it is item 33 and others following.
There is a chance that CoolWebShredder will help you, but if you read some other pages written by Merijn, he has given up trying to keep up with all the variations.
http://www.spywareinfo.com/~merijn/downloads.html

 

All set so far thanks. i'll update if there are any changes.

Pudini

 

Everything seemed perfect after i turned it off last night. and this morning when i opened it up and turned it on, my homepage was back too about:blank with the gay search hijacked. Please help me figure this out.

Pudini

 

http://windowsbbs.com/showpost.php?p=171662&postcount=2

 

noah,

thanks but after i do all that it still comes back.

Pudini

 

I'll post the hijack this later today, it's a friends laptop.

 

I figured it would, which is why I asked for a log. I can't direct you to the proper fix until I see what variant the PC is infected with.

 

I'm surprised you haven't run into Cool Web Search before. Google it, and see just how nasty and prevalent it is. Noahdfear can help you get it clean, but you need to post a HJT log, and follow all instructions.

btw, there are lots of LADIES on this BBS who are just as qualified to help, on this BBS.

Johanna

 

noahdfear --I do not know how fast CWShredder is getting out of date, but the latest buzz is about a program called AboutBuster. It can be downloaded here.
http://www.atribune.org/downloads/AboutBuster.zip
I have not spent too much time looking, but there is little documentation on AboutBuster. One place is
http://forums.devshed.com/archive/t-162706
Tom Myboy says
"Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

Reboot and post a new HijackThis log along with the two reports from About:Buster. "

 

About:Buster is one fix for one variant, yes, but should not be used on others, and may not work either. As previously stated, I need to see which variant to recommend a fix.

 

CWS update...

This is from the SpywareInfo website . Someone is going to carry on the fight against CoolWebSearch:

" X-Cleaner Spyware Remover is an award winning spyware detector that finds and removes commercial spyware programs. X-Cleaner also features a unique mobile active-x spy scanning utility so you can login through your member's center and use it from public terminals.
X-Cleaner soon will have all of the CWS removal capabilities of CWShredder, licensed from Merijn. That means that X-Cleaner will be able to remove nearly every single variant of the world's most widespread, stubborn and annoying browser hijacker. "

This is from a company called X-Block (www.xblock.com). Not available yet... but should be soon. Doesn't look as though it's going to be free.

 

Let me know what you guys see, if anything:

Logfile of HijackThis v1.97.7
Scan saved at 9:55:48 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\chris\HijackThis.exe
C:\chris\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe "
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE "
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Shortcut to Ad-watch.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.2.19/superbingo/superbingo-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8.1.28/mahjong/mahjong-ob-assets.cab
O16 - DPF: Necho Client - http://www3.necho.net/nuvell/nechoclient.cab
O16 - DPF: Necho Client Lib Package - http://www3.necho.net/nuvell/libnechoclient.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.3.20/peaks/peaks-ob-assets.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol125.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

Pardon Me ms. Johanna ...

Ladies and Gentlemen. No disrepect Johanna.

 

I see nothing in your log that would indicate a hijack. Are you still being redirected? If you aren't, but later do, post a log before doing any fixes.

 

D_amn Dave, you are really good - any chance of cloning a few "knowledge" cells and giving some of us directions to your favorite local surgeon's office. You never cease to amaze me.

 

Thanks Rockster! Quite a compliment coming from you, a guy with much more knowledge and experience than myself. If I could sort a knowledgeable cell from the burnt ones, I'd be more than happy to let someone try cloning them. No favorite local surgeon though, you'd have to find your own.

In hopes that I continue to amaze you.........