About:Blank

This must have been asked.....could not find it....does TDS remove the About:Blank stuff

 

Hi Rainwalker, i don't remember the question been asked in relation to TDS but where did you see that? Is it one of those exploits opening a new site when you open a window or email? Could that be in your InternetExplorer settings or windows updates or ......?

 

TDS-3 does detect the CWS DLL's in question which cause this hijack, but Adware removal is a specialist operation and not what TDS was originally intended for. For Adware problems just head to the Adware/Hijacks forum here at Wilders and read the posting rules. AdAware may be updated to remove these by now, but if it doesn't someone will help you with your HijackThis log

 

I can't believe theres no law - none of us can. What can any single one of us do ? Nothing. Ask Eugene (Kaspersky) about the latest, its heavily encrypted. Very very nasty. Noone spotted it for a while, I doubt anyone has the actual scripts yet because it is installed from sites - scripts are server side and lots can be hidden. What can WE do about this ? As we all add detection we are not stopping the CAUSE of the problem, having IE run in full standard install-whatever-you-want-website mode. Stopping this should be what we tell users, if they have to format to remove whatever "adware" they have on their machine they should write to their leaders and demand action

 

Microsoft should be completely forbidden to publish a browser with things like ActiveX, Java, etc (yeah, it is to make your internet-experience more pleasant....

 

Thank you to all for responding......

' The latest versions don't apear to be IE specific that is the worry now '

I have reading about it as i have it and realize how difficult it is to remove so i was hoping yada yada yada

It does seem to be BLOCKED by Spyware Guard and BHO Demon does SEEM to stop it and Spybot ( rc5 ) seems also to stop it. HijackThis of course shows it but i'm wondering if it's ok to leave, since the programs mentioned seem to be stopping it from loading

BTW i don't use I.E.

 

Maybe i am over reacting, but i am thinking that this is all VERY scary and we are now only seeing the tip of the iceburg.

I think i am getting body rushes similar to what a lemming experiences


Hmmmmmmmmmmmmm.........interesting

 

Can you please provide more details? This seems hard to believe something that can hijack opera AND mozilla.

 

I can't get rid of this browser hijacker, I have tried everything I know, it just keeps coming back, I am considering a clean install of my computer!!!!!!!!!!!!!
Here is the log.



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts

 

I would be very interested in this also. While it does seem plausible for it to affect Opera/Mozilla once loaded, these do not use the MS Java VM. Unless there is a similar exploit for Sun's Java VM the only way I can see this happening is if CWS was picked up by Internet Explorer first.

If you use Opera/Mozilla exclusively then no IE component should ever be exposed to Internet-based exploits. There are however lots of utilities that run on the IE engine (e.g. MyIE, Stardock Central) and these would seem a plausible infection vector. This also prevents the use of Windows Update which requires IE with ActiveX enabled (typical bloody Microsoft, make IE impossible to remove and compulsory for fixing their screwups).

 

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible Browser Hijack attempt Object recognized!
Type : RegKey
Data : KazaaStartPage="about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\K++

So K++ is one of the "vectors", too - maybe due to the fact that it uses WMP? And/or the WMP Classic? Pete

 

yes indeed if you use something like MyIE or any other application that uses IE, then obviously you are vulnerable. But one that can infect users regardless of what browsers they use, just because they use windows is incrediable.

 

Wanted to say that i only I.E. to update OS..........and of course Active Bloody X is enabled ...........................then turned off.

 

Have a question: Is about:blank a trojan or not. I have read elsewhere that it is and one person wrote that in his opinion, one of the nastiest ones out there
He SEEMED to be rather knowledgeable.............. excuse me while i duck

 

Is about:blank stuff trojan or not? If is not, then what does it do; other then mess thing up ?

 

Maybe this will answer that question...

 

Hi Rainwalker, I found this link - It appears that a fully patched IE 6 SP1 is not vulnerable:
http://www.securiteam.com/windowsntfocus/5MP0I15AUW.html

 

Trojan or not, the thing appears to be a very horrendous piece of work, judging by the kinds of hoops this person is going through trying to get rid of it: SpywareInfo thread .

My only brush with it (in my previous post) was just that one single registry entry which AA quarantined and then I deleted - I had no other symptoms.

A short write-up about it here: CoolWebSearch Chronicles . HTH Pete

 

Thanks Paranoid2ooo
Thanks Pilli.............i have some sp2 patches but do not see any sp1 stuff; as such. I have some memory of it being there once but i think there have long sense been cumulative updates that removed the info in Add/Remove programs window and replaced it with new info. I have always stayed on top of the updates. One would think the cumulative updates would have also fix the problem......... why would a malwriter write such a program..... how could he benefit or is it evil for the sake of evil