About:Blank

Discussion in 'Trojan Defence Suite' started by Rainwalker, May 5, 2004.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    This must have been asked.....could not find it....does TDS remove the About:Blank stuff :doubt:
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Rainwalker, i don't remember the question been asked in relation to TDS but where did you see that? Is it one of those exploits opening a new site when you open a window or email? Could that be in your InternetExplorer settings or windows updates or ......?
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS-3 does detect the CWS DLL's in question which cause this hijack, but Adware removal is a specialist operation and not what TDS was originally intended for. For Adware problems just head to the Adware/Hijacks forum here at Wilders and read the posting rules. AdAware may be updated to remove these by now, but if it doesn't someone will help you with your HijackThis log
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I wish TDS would deal with this one

    the CWS are getting to be more than just advertising parasites and are extremely difficult to remove

    In many cases we have been unable to fully remove the hidden dll's that the pest drops and are resorting to using a firewall to block it from reinstalling itself

    But as GAvin says post oin the hijack forum and we will do our best to help you
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I can't believe theres no law - none of us can. What can any single one of us do ? Nothing. Ask Eugene (Kaspersky) about the latest, its heavily encrypted. Very very nasty. Noone spotted it for a while, I doubt anyone has the actual scripts yet because it is installed from sites - scripts are server side and lots can be hidden. What can WE do about this ? As we all add detection we are not stopping the CAUSE of the problem, having IE run in full standard install-whatever-you-want-website mode. Stopping this should be what we tell users, if they have to format to remove whatever "adware" they have on their machine they should write to their leaders and demand action ;)
     
  6. FanJ

    FanJ Guest

    ;)

    Microsoft should be completely forbidden to publish a browser with things like ActiveX, Java, etc (yeah, it is to make your internet-experience more pleasant.... :mad: :blink:
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    The latest versions don't apear to be IE specific that is the worry now

    earlier versions attacked via then byte verifier bug in IE using M$ Java VM only

    The latest versions attack & get in the system regardless of browser, regardless of Java VM versions,

    We see it in Netscape browsers, Opera, Mozilla in fact any browser is affected, Even removing M$ java VM completely still lets it on so the only common key is Windows and it attacks all versions, I know IE is inbuilt to all op systems so it is still probably using something within the IE structure, but it's getting much harder to fix

    we haven't heard of it attacking Mac or Linux yet, but we probaly wouldn't in these forums
     
  8. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thank you to all for responding......

    ' The latest versions don't apear to be IE specific that is the worry now '

    I have reading about it as i have it and realize how difficult it is to remove so i was hoping yada yada yada

    It does seem to be BLOCKED by Spyware Guard and BHO Demon does SEEM to stop it and Spybot ( rc5 ) seems also to stop it. HijackThis of course shows it but i'm wondering if it's ok to leave, since the programs mentioned seem to be stopping it from loading
    o_O
    BTW i don't use I.E.
     
  9. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Maybe i am over reacting, but i am thinking that this is all VERY scary and we are now only seeing the tip of the iceburg.

    I think i am getting body rushes similar to what a lemming experiences
    :eek:

    Hmmmmmmmmmmmmm.........interesting :rolleyes:
     
  10. Riverwind

    Riverwind Guest

    Can you please provide more details? This seems hard to believe something that can hijack opera AND mozilla.
     
  11. bobgilles

    bobgilles Registered Member

    Joined:
    May 1, 2004
    Posts:
    12
    I can't get rid of this browser hijacker, I have tried everything I know, it just keeps coming back, I am considering a clean install of my computer!!!!!!!!!!!!!
    Here is the log.



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Bob, you'll need to keep all the discussion of this in one place. You have a thread over in the hijack review forum which has a request for more information:

    https://www.wilderssecurity.com/showthread.php?t=30901

    You need to post the entire log, not just some lines. Please continue over in that thread.
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I would be very interested in this also. While it does seem plausible for it to affect Opera/Mozilla once loaded, these do not use the MS Java VM. Unless there is a similar exploit for Sun's Java VM the only way I can see this happening is if CWS was picked up by Internet Explorer first.

    If you use Opera/Mozilla exclusively then no IE component should ever be exposed to Internet-based exploits. There are however lots of utilities that run on the IE engine (e.g. MyIE, Stardock Central) and these would seem a plausible infection vector. This also prevents the use of Windows Update which requires IE with ActiveX enabled (typical bloody Microsoft, make IE impossible to remove and compulsory for fixing their screwups).
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Possible Browser Hijack attempt Object recognized!
    Type : RegKey
    Data : KazaaStartPage="about:blank"
    Category : Data Miner
    Comment : Possible browser hijack attempt
    Rootkey : HKEY_CURRENT_USER
    Object : Software\K++

    So K++ is one of the "vectors", too - maybe due to the fact that it uses WMP? And/or the WMP Classic? Pete
     

    Attached Files:

  15. Riverwind

    Riverwind Guest

    yes indeed if you use something like MyIE or any other application that uses IE, then obviously you are vulnerable. But one that can infect users regardless of what browsers they use, just because they use windows is incrediable.
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Wanted to say that i only I.E. to update OS..........and of course Active Bloody X is enabled :mad: ...........................then turned off.
     
  17. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Have a question: Is about:blank a trojan or not. I have read elsewhere that it is and one person wrote that in his opinion, one of the nastiest ones out there o_O
    He SEEMED to be rather knowledgeable.............. excuse me while i duck
     
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Is about:blank stuff trojan or not? If is not, then what does it do; other then mess thing up ?
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Maybe this will answer that question...
     
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  21. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Trojan or not, the thing appears to be a very horrendous piece of work, judging by the kinds of hoops this person is going through trying to get rid of it: SpywareInfo thread .

    My only brush with it (in my previous post) was just that one single registry entry which AA quarantined and then I deleted - I had no other symptoms.

    A short write-up about it here: CoolWebSearch Chronicles . HTH Pete
     
  22. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks Paranoid2ooo
    Thanks Pilli.............i have some sp2 patches but do not see any sp1 stuff; as such. I have some memory of it being there once but i think there have long sense been cumulative updates that removed the info in Add/Remove programs window and replaced it with new info. I have always stayed on top of the updates. One would think the cumulative updates would have also fix the problem......... why would a malwriter write such a program..... how could he benefit or is it evil for the sake of evil :rolleyes:
     
Thread Status:
Not open for further replies.