Discussion in 'Trojan Defence Suite' started by Rainwalker, May 5, 2004.
This must have been asked.....could not find it....does TDS remove the About:Blank stuff
Hi Rainwalker, i don't remember the question been asked in relation to TDS but where did you see that? Is it one of those exploits opening a new site when you open a window or email? Could that be in your InternetExplorer settings or windows updates or ......?
TDS-3 does detect the CWS DLL's in question which cause this hijack, but Adware removal is a specialist operation and not what TDS was originally intended for. For Adware problems just head to the Adware/Hijacks forum here at Wilders and read the posting rules. AdAware may be updated to remove these by now, but if it doesn't someone will help you with your HijackThis log
I wish TDS would deal with this one
the CWS are getting to be more than just advertising parasites and are extremely difficult to remove
In many cases we have been unable to fully remove the hidden dll's that the pest drops and are resorting to using a firewall to block it from reinstalling itself
But as GAvin says post oin the hijack forum and we will do our best to help you
I can't believe theres no law - none of us can. What can any single one of us do ? Nothing. Ask Eugene (Kaspersky) about the latest, its heavily encrypted. Very very nasty. Noone spotted it for a while, I doubt anyone has the actual scripts yet because it is installed from sites - scripts are server side and lots can be hidden. What can WE do about this ? As we all add detection we are not stopping the CAUSE of the problem, having IE run in full standard install-whatever-you-want-website mode. Stopping this should be what we tell users, if they have to format to remove whatever "adware" they have on their machine they should write to their leaders and demand action
Microsoft should be completely forbidden to publish a browser with things like ActiveX, Java, etc (yeah, it is to make your internet-experience more pleasant....
The latest versions don't apear to be IE specific that is the worry now
earlier versions attacked via then byte verifier bug in IE using M$ Java VM only
The latest versions attack & get in the system regardless of browser, regardless of Java VM versions,
We see it in Netscape browsers, Opera, Mozilla in fact any browser is affected, Even removing M$ java VM completely still lets it on so the only common key is Windows and it attacks all versions, I know IE is inbuilt to all op systems so it is still probably using something within the IE structure, but it's getting much harder to fix
we haven't heard of it attacking Mac or Linux yet, but we probaly wouldn't in these forums
Thank you to all for responding......
' The latest versions don't apear to be IE specific that is the worry now '
I have reading about it as i have it and realize how difficult it is to remove so i was hoping yada yada yada
It does seem to be BLOCKED by Spyware Guard and BHO Demon does SEEM to stop it and Spybot ( rc5 ) seems also to stop it. HijackThis of course shows it but i'm wondering if it's ok to leave, since the programs mentioned seem to be stopping it from loading
BTW i don't use I.E.
Maybe i am over reacting, but i am thinking that this is all VERY scary and we are now only seeing the tip of the iceburg.
I think i am getting body rushes similar to what a lemming experiences
Can you please provide more details? This seems hard to believe something that can hijack opera AND mozilla.
I can't get rid of this browser hijacker, I have tried everything I know, it just keeps coming back, I am considering a clean install of my computer!!!!!!!!!!!!!
Here is the log.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ongm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
Bob, you'll need to keep all the discussion of this in one place. You have a thread over in the hijack review forum which has a request for more information:
You need to post the entire log, not just some lines. Please continue over in that thread.
I would be very interested in this also. While it does seem plausible for it to affect Opera/Mozilla once loaded, these do not use the MS Java VM. Unless there is a similar exploit for Sun's Java VM the only way I can see this happening is if CWS was picked up by Internet Explorer first.
If you use Opera/Mozilla exclusively then no IE component should ever be exposed to Internet-based exploits. There are however lots of utilities that run on the IE engine (e.g. MyIE, Stardock Central) and these would seem a plausible infection vector. This also prevents the use of Windows Update which requires IE with ActiveX enabled (typical bloody Microsoft, make IE impossible to remove and compulsory for fixing their screwups).
Started deep registry scan
Possible Browser Hijack attempt Object recognized!
Type : RegKey
Data : KazaaStartPage="about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\K++
So K++ is one of the "vectors", too - maybe due to the fact that it uses WMP? And/or the WMP Classic? Pete
yes indeed if you use something like MyIE or any other application that uses IE, then obviously you are vulnerable. But one that can infect users regardless of what browsers they use, just because they use windows is incrediable.
Wanted to say that i only I.E. to update OS..........and of course Active Bloody X is enabled ...........................then turned off.
Have a question: Is about:blank a trojan or not. I have read elsewhere that it is and one person wrote that in his opinion, one of the nastiest ones out there
He SEEMED to be rather knowledgeable.............. excuse me while i duck
Is about:blank stuff trojan or not? If is not, then what does it do; other then mess thing up ?
Maybe this will answer that question...
Hi Rainwalker, I found this link - It appears that a fully patched IE 6 SP1 is not vulnerable:
Trojan or not, the thing appears to be a very horrendous piece of work, judging by the kinds of hoops this person is going through trying to get rid of it: SpywareInfo thread .
My only brush with it (in my previous post) was just that one single registry entry which AA quarantined and then I deleted - I had no other symptoms.
A short write-up about it here: CoolWebSearch Chronicles . HTH Pete
Thanks Pilli.............i have some sp2 patches but do not see any sp1 stuff; as such. I have some memory of it being there once but i think there have long sense been cumulative updates that removed the info in Add/Remove programs window and replaced it with new info. I have always stayed on top of the updates. One would think the cumulative updates would have also fix the problem......... why would a malwriter write such a program..... how could he benefit or is it evil for the sake of evil
Separate names with a comma.