about|blank home page hijacker

Discussion in 'malware problems & news' started by sarment, Jan 16, 2005.

Thread Status:
Not open for further replies.
  1. sarment

    sarment Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    27
    I had the about|blank on my son's computer last June (04). After MUCH research and effort I was able to remove it by basically following computer cops Ttime2Early's posting on May 22. (http://computercops.biz/postlite43426-blank.html) It went away.

    His computer just got it again. (I can't believe that STILL Norton NAV & NIS, AdAware, Spybot, SpywareBlaster, and Trojan Hunter can't catch it coming in AND can't find it after the fact.)

    I can't get rid of it by Ttime2Early's method because the "hidden" file does not have a name. The value on "applnit_dll" is blank (no value). Is there a different hidden file now?

    Just in case I did the "hijack this" run and removed all the about|blank entries. But it still come back. (Immediately!) (Removeing the hidden file was the key before. Without getting rid of the "hidden" file, none of the other fixes stay fixed.) Something interesting in the hijack this log though, this line:
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    I'm hoping that there is some new info on the really bad old bug.

    Help??
     
  2. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi I think it would be worth trying the new Microsoft Anti-Spyware beta 1, also if that is not sucsseful download HiJackThis run and save the log file you can then post it on forums that will advise you of what to remove (Wilders no longer allows HJT logs to be posted here)

    LINK to download Microsft Anti-Spyware, you will need 2 do a windows authentication first. (small download provided by MS at the same site)
     
    Last edited: Jan 16, 2005
  3. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Just a further note if you are using Spybot do u have the immunize function running and updated?

    To protect yourself in future try using an alternate browser to IE, Mozilla an Opera have free browsers that are safer and arguably faster than IE.

    Allot of the Spyware gets past your defenses because it comes via downloading a program that has a EULA (end user license agreement)
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    you might look here

    and see if it is relevant to your problem

    bigc
     
  5. sarment

    sarment Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    27
    Been there. Done that. The process linked a couple times on that posting got rid of it the first time. Now I don't see a value for the hidden file. It has to be somewhere else now.

    Do you know anything about adware away? (www.adwareaway.com)
     
  6. sarment

    sarment Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    27
    sweetie-
    Thanks.
    1 Yes we "immunize" and keep spybot up to date.
    2 I am reluctant to download a new program unless I am reasonably sure it can detect and remove this particular problem since I already have so many protections in place and scans to run regularly.
    3 You say "Allot of the Spyware gets past your defenses because it comes via downloading a program that has a EULA (end user license agreement)" Do you know of a way to protect yourself in these situations?
    4 Maybe I will try one of the other browsers on my computer. (I try things here first before installing them on other computers.)
    5 I already ran hijack this and removed the about:blank entries. The problem with about:blank is the hidden file that needs to be identified and removed. I don't know the location of "my" particular hidden file.

    bigc-
    Thanks. I used the information on these links to get rid of the last about:blank infection. It doesn't work this time because the hidden file is in a different location.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    A good practice.


    Agreed, with this issue I would think you are going to need specialists help from A-SAP.

    Have you tried running all your security programs while in “Safe Mode” as discussed in General Cleaning


    I would suggest Process Guard 3 by DCS.

    This is what works really well for me, very simple to use and maintain. and also extremely secure.


    It is a step in the right direction.


    I believe with this issue as stated above, you will need to post your log at one of the forums found at A-SAP.

    The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    Once your system is clean I would also suggest taking a look here: Why did I get infected in the first place? Also, for further discussions on security and how to make your system that much stronger, see here and here

    Cheers

    Blackspear.
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That registry entry is a policy to dis-allow that current signed on user to run regedit.exe. If you want to give that current user the ability to edit or view the registry....either change the 1 to 0....or....delete the Dword value DisableRegedit totally. It is not an Dword entry that is installed by default.
     
  9. sarment

    sarment Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    27
    about|blank home page hijacker - adware away removed it

    FYI-

    I downloaded and ran Adware Away (at the suggestion of site moderator at castle cops, formerly computer cops http://castlecops.com/modules.php?name=Forums&file=viewtopic&p=430702#430702) It was qwesome!

    The last time I had "about blank" it took me days of research, some trial and error, and lots of manual manipulation to remove it.

    This time I ran Adware Away and it was gone.

    They even say that they will customize their program if you have a variant that the standard program doesn't remove. Currently the program removes 8 variants of "about blank"

    I would choose this route over the others I tried earlier to remove this NASTY hijacker.
     
  10. sarment

    sarment Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    27
    blackspear-

    Thanks for the info. I followed the links and saw what you load on your computer. Most helpful.

    I generally try software on my machine and then put in on others in our house if.... (For example, I have Process Guard on my computer. I like it but decided it is not appropriate for eveyone else's.)

    Anyways, a couple questions about your list.

    1 - how does "system safety monitor" compare with "registry protect"

    2 - with process guard are these others (registry, script, etc.) needed?
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure, and glad it was helpful.


    That’s a good practice, it is what I do as well.


    I used to use SSM, however it caused a conflict with the latest version of Nod32, so it got the heave ho, and I started using Prevx which I’m very impressed with.


    Yes, still needed to monitor the registry, see here for comparrisions:

    https://www.wilderssecurity.com/showthread.php?t=32823

    I use MJ Registry Watcher http://www.jacobsm.com/index.htm#sft

    Hope this helps…

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.