The latest about:blank trojan from the dix at CoolWebSearch, seems to be absolutely invincible. Even the author of HJT and others have thrown up their hands. The latest form of MS antispy is ineffective, as well as all the usual spyware like ad-aware, ferrit, spybot s+d etc. etc. etc...It seems to be combating the very programs set up to delete it and replicates itself as soon as you go on the web. It would not even allow me to log on to tek-tips!!! My final solution was to partition the hd, install new os and abandon IE as a browser for now. Basically a new pc on the old hard drive.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
about:blank, now on steroids! 1
- Thread starter N2NT
- Start date
Try this thread
and this site to see if any of the tips will help you out.
and this site to see if any of the tips will help you out.
AnotherHiggins
Technical User
That's why I vote for Firefox. IE can't be hijacked if you don't use IE.
[tt]_____
-John
[/tt]Help us help you. Please read FAQ181-2886 before posting.
[tt]_____
-John
[/tt]Help us help you. Please read FAQ181-2886 before posting.
- Thread starter
- #4
aquias> yes...I did try ALL of those things and more. The newer version of about:blank is far more aggressive than the one of fall '04...It is way ahead of the current spyware programs...I imagine MS Antispy should be the first one to be able to combat this. The spare time spyware guys like HJT and others just don't have the resources CWS does at this time unfortunately. Even CWSheader won't work!!! They will locate, but cannot fix.
anotherhiggins> That conclusion will save someone a lot of time trying to fix IE...I imagine it's just a matter of time before the other browsers are targeted too.
I am mainly into the telecom forums here, but this one was extremely helpful in dealing with the problem...
props to all of you.
anotherhiggins> That conclusion will save someone a lot of time trying to fix IE...I imagine it's just a matter of time before the other browsers are targeted too.
I am mainly into the telecom forums here, but this one was extremely helpful in dealing with the problem...
props to all of you.
Let us do some research and see if we can find anything else hidden out about the newer version and how to remove it.
And, as a side note to moving to Firefox, yes it is more secure. However, the first of the possible "new breed" of spyware programs arrived a few months ago. Instead of targeting the Active X controls it targets the machine java.
Yes, Firefox is more secure against this type of attack (you get a prompt about the install of the java controls) but keep in mind, that education is still a big key. No matter the browser.
And, as a side note to moving to Firefox, yes it is more secure. However, the first of the possible "new breed" of spyware programs arrived a few months ago. Instead of targeting the Active X controls it targets the machine java.
Yes, Firefox is more secure against this type of attack (you get a prompt about the install of the java controls) but keep in mind, that education is still a big key. No matter the browser.
diogenes10
Technical User
What specifically, ie some hjt lines, is being discussed to remove?
There are several cws variants and there is at least one extremely difficult non cws problem that I think gets mistaken for cws.
I am not skilled at removing some of those things, but I think there are methods available for many of them now, but there is not a "standard" approach that will remove them all.
Just from the few threads I read on help sites, it looks to me like spyware removal is becoming more and more complex and requires knowledge of the registry and specialized removal and analysis tools as well as general tools such as spybot and HijackThis.
Stating that a trojan is invincible may reflect the current state for the removal of that item, or it may reflect unawareness of current removal techniques for that problem.
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
There are several cws variants and there is at least one extremely difficult non cws problem that I think gets mistaken for cws.
I am not skilled at removing some of those things, but I think there are methods available for many of them now, but there is not a "standard" approach that will remove them all.
Just from the few threads I read on help sites, it looks to me like spyware removal is becoming more and more complex and requires knowledge of the registry and specialized removal and analysis tools as well as general tools such as spybot and HijackThis.
Stating that a trojan is invincible may reflect the current state for the removal of that item, or it may reflect unawareness of current removal techniques for that problem.
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
I believe it is a Vx2 variant. I had a user's machine infected a few weeks ago and I tried everything know to man to clean it. What finally worked was Dllcompare and Killbox, as outlined in this thread:
- Thread starter
- #9
diogenes10 said:
Current removal techniques are NOT even close to this one yet. I can identify the root cause in the "f2install" file, but it has invaded a lot of registry files and even the HJT logs are blank except for entry by the hijacker/trojan. The main trouble is that when you run MS AntiSpy for example...it finds four or five nasty files but before it finishes the scan IE will crash, with the old "IE has experienced a problem and must close" window. I do like the never say die attitude and will give it another try in a couple of days.
Current removal techniques are NOT even close to this one yet. I can identify the root cause in the "f2install" file, but it has invaded a lot of registry files and even the HJT logs are blank except for entry by the hijacker/trojan. The main trouble is that when you run MS AntiSpy for example...it finds four or five nasty files but before it finishes the scan IE will crash, with the old "IE has experienced a problem and must close" window. I do like the never say die attitude and will give it another try in a couple of days.
diogenes10
Technical User
f2install gets some trendmicro and sophos hits. Here is one of the trendmicro ones:
You could see if trend micro's on line scan would run:
Or try an anti trojan program such as these:
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
You could see if trend micro's on line scan would run:
Or try an anti trojan program such as these:
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
diogenes10
Technical User
Hit the wrong button above, here's the other antitrojan link:
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
diogenes10
Technical User
And you could also try using killbox or deletedoctor to delete the files found by MSantispy. If MSantispy is dying and not showing any specific file names,
here is a thread where a variety of file finding programs are pulled in to try to solve a problem:
Perhaps one or two of those would give you some help in identifying some of the problem files.
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
here is a thread where a variety of file finding programs are pulled in to try to solve a problem:
Perhaps one or two of those would give you some help in identifying some of the problem files.
-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
Recently had about:blank on wife's personal XP laptop.
Tried everything I could think of to remove, was ready to reformat then came across Adware Away. For the $40 or so I figured I would give it a try.
Worked great. Completely removed about:blank.
Tried everything I could think of to remove, was ready to reformat then came across Adware Away. For the $40 or so I figured I would give it a try.
Worked great. Completely removed about:blank.
-
1
- #15
Hi all, I think I just had a client call me with a system that this problem. I still digesting all in this thread. I may have stumbled through this and fixed their system, but I guess I'll find out Monday.
One odd thing about this spyware app, the first popup ad was for a specific online poker playing place. I forget the name right now, but I'll get it. Out of frustration I researched the website and finally called the 800 number contact and read the operator the riot act. (Hey I was frustrated) I told the operator that they had contributed to the corruption of a corporate computer and we were going to hold their company responsible. He paniced, and he sounded like he didn't know the different between a monitor and a mouse. He kept referring me to Cnet, though he didn't know what that was, or where to look.
FYI
One odd thing about this spyware app, the first popup ad was for a specific online poker playing place. I forget the name right now, but I'll get it. Out of frustration I researched the website and finally called the 800 number contact and read the operator the riot act. (Hey I was frustrated) I told the operator that they had contributed to the corruption of a corporate computer and we were going to hold their company responsible. He paniced, and he sounded like he didn't know the different between a monitor and a mouse. He kept referring me to Cnet, though he didn't know what that was, or where to look.
FYI
iamnotageek
Vendor
There have been reports lately of new cross browser hijacks, which take vulnerabilities in Firefox and use them to exploit vulnerabilities in IE."
I believe you are referring to the exploit where a user is prompted to run a java applet in Firefox, and if they do so, it infects IE. If so, this is not a vulnerability in Firefox, it is vulnerability/gullibility on the part of the user.
I believe you are referring to the exploit where a user is prompted to run a java applet in Firefox, and if they do so, it infects IE. If so, this is not a vulnerability in Firefox, it is vulnerability/gullibility on the part of the user.
Technically, you're correct iamnotageek. However, the fact remains, that someone hs found a way to cirucumvent Firefox's security, even if it is only through the interaction of the user.
Given time, and I'm betting not much, these prompts are going to start getting buried and made to look more and more necessary. In addition, this is an entirely new form of malware. This one targets java, not active X, opening the door up for further exploits.
Given time, and I'm betting not much, these prompts are going to start getting buried and made to look more and more necessary. In addition, this is an entirely new form of malware. This one targets java, not active X, opening the door up for further exploits.
siliconromance
Programmer
basspro is on to it... i battled this fiend for a day and a half trying every hijacker, spyware and adware app i could get my hands on, tried manual deletion, ran vb scripts which were intended to fix it.. no luck. in the end i paid the $40 and bought Adware Away.. worked like a dream. seems like a conspiracy to me 
claudermilk
Technical User
One thing I have done in my attempts to clean coworker's PCs that I haven't seen anyone mention is once the cleanup utilities are all local to the infected PC, is that I UNPLUG the network connection. I will then chew on the infection with the full array of utils (HJT, S&D, Adaware, etc.). Seems to have worked; at least I know the trojan is forced to try and survive without an umbilical.
You can actually download a free (demo) version of Adware Away if you check their site carefully. It'll work for 7 days or whatever and yes, it does actually kill it, not just report what you've got like some demos do... This is what I used last night to beat the about:blank problem. Read the instructions carefully for good end results...
ROGER - G0AOZ.
ROGER - G0AOZ.
- Status
Similar threads
- Locked
- Question