My problems so far...!!!

  • Thread starter Thread starter Marvin Cummings
  • Start date Start date
M

Marvin Cummings

Playing devil's advocate I took a fully patched XP SP2
system and allowed it to get hi-jacked. This hi-jack
changed my default URL to about:blank and my page
to "Search for". Now if I open a web browser not only do I
get redirected to this "Search for" page but I also get
pop-ups. This particular spyware or whatever it's called
turned off my pop up blocker, which was enabled and set to
medium.
I then installed Microsoft Anti-Spyware on this box and
allowed it time to download any definitions. After this I
performed a system scan. MSAS didn't detect any spyware on
my system. I ran another scan and got the same thing. I
ran HiJackThis and got the following .dll entries in my
registry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95FCE1C0-0EE0-4943-A68E-
BAFBD0024F92} - C:\WINDOWS\system32\akmn.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%
\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"

After deleting these entries and rebooting the system I
opened MSAS to begin another system scan and was advised
that the following threat was detected:

Possible browser hijack: (Browser Hijacker)
Threat Level High
Internet Explorer Start Page: about:blank

I elected to remove it and was advised of its removal. I
open a web browser and see my default URL. Immediately
after this I get notices from MSAS that it has ALLOWED my
URL to be changed from the default to about:blank based on
my settings!!!! I then get another notice advising that
akmn.dll was blocked from changing the URL to about:blank.
I start another scan and MSAS detects nothing. So I'm
convinced that it doesn't see akmn.dll and sp.dll as
threats. I delete these from the Local & Windows\System32
directory, perform a registry search and delete for
akmn.dll and sp.dll, Re-run HiJackThis, delete the same
crap, reboot, and restart the scan. The same thing
happens.
I go to Advanced tools, click Browser HiJack Restore and
check my default URL to be my start page. I then click
Restore and open a web browser to see my default page.
Notice: akmn.dll
Notice: An Internet Explorer change has been allowed:
Old URL: www.mysite.com
New URL: about:blank

At this point I'm so frustrated I sling the computer out
the window, grab a bottle of hennessy and a cigar, and go
sit on the front porch.
 
Marvin said:
Playing devil's advocate I took a fully patched XP SP2
system and allowed it to get hi-jacked. This hi-jack
changed my default URL to about:blank and my page
to "Search for". Now if I open a web browser not only do I
get redirected to this "Search for" page but I also get
pop-ups. This particular spyware or whatever it's called
turned off my pop up blocker, which was enabled and set to
medium.
I then installed Microsoft Anti-Spyware on this box and
allowed it time to download any definitions. After this I
performed a system scan. MSAS didn't detect any spyware on
my system. I ran another scan and got the same thing. I
ran HiJackThis and got the following .dll entries in my
registry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95FCE1C0-0EE0-4943-A68E-
BAFBD0024F92} - C:\WINDOWS\system32\akmn.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%
\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"

After deleting these entries and rebooting the system I
opened MSAS to begin another system scan and was advised
that the following threat was detected:

Possible browser hijack: (Browser Hijacker)
Threat Level High
Internet Explorer Start Page: about:blank

I elected to remove it and was advised of its removal. I
open a web browser and see my default URL. Immediately
after this I get notices from MSAS that it has ALLOWED my
URL to be changed from the default to about:blank based on
my settings!!!! I then get another notice advising that
akmn.dll was blocked from changing the URL to about:blank.
I start another scan and MSAS detects nothing. So I'm
convinced that it doesn't see akmn.dll and sp.dll as
threats. I delete these from the Local & Windows\System32
directory, perform a registry search and delete for
akmn.dll and sp.dll, Re-run HiJackThis, delete the same
crap, reboot, and restart the scan. The same thing
happens.
I go to Advanced tools, click Browser HiJack Restore and
check my default URL to be my start page. I then click
Restore and open a web browser to see my default page.
Notice: akmn.dll
Notice: An Internet Explorer change has been allowed:
Old URL: www.mysite.com
New URL: about:blank

At this point I'm so frustrated I sling the computer out
the window, grab a bottle of hennessy and a cigar, and go
sit on the front porch.
Click to expand...

LOL.......wonderful!
 
Marvin said:
Playing devil's advocate I took a fully patched XP SP2
system and allowed it to get hi-jacked. This hi-jack
changed my default URL to about:blank and my page
to "Search for". Now if I open a web browser not only do I
get redirected to this "Search for" page but I also get
pop-ups. This particular spyware or whatever it's called
turned off my pop up blocker, which was enabled and set to
medium.
I then installed Microsoft Anti-Spyware on this box and
allowed it time to download any definitions. After this I
performed a system scan. MSAS didn't detect any spyware on
my system. I ran another scan and got the same thing. I
ran HiJackThis and got the following .dll entries in my
registry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95FCE1C0-0EE0-4943-A68E-
BAFBD0024F92} - C:\WINDOWS\system32\akmn.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%
\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"

After deleting these entries and rebooting the system I
opened MSAS to begin another system scan and was advised
that the following threat was detected:

Possible browser hijack: (Browser Hijacker)
Threat Level High
Internet Explorer Start Page: about:blank

I elected to remove it and was advised of its removal. I
open a web browser and see my default URL. Immediately
after this I get notices from MSAS that it has ALLOWED my
URL to be changed from the default to about:blank based on
my settings!!!! I then get another notice advising that
akmn.dll was blocked from changing the URL to about:blank.
I start another scan and MSAS detects nothing. So I'm
convinced that it doesn't see akmn.dll and sp.dll as
threats. I delete these from the Local & Windows\System32
directory, perform a registry search and delete for
akmn.dll and sp.dll, Re-run HiJackThis, delete the same
crap, reboot, and restart the scan. The same thing
happens.
I go to Advanced tools, click Browser HiJack Restore and
check my default URL to be my start page. I then click
Restore and open a web browser to see my default page.
Notice: akmn.dll
Notice: An Internet Explorer change has been allowed:
Old URL: www.mysite.com
New URL: about:blank

At this point I'm so frustrated I sling the computer out
the window, grab a bottle of hennessy and a cigar, and go
sit on the front porch.
Click to expand...

Marvin,

Must be warm where you are ;) You're a brave guy, Marvin. The latest
variant of about:blank is very difficult to remove and I know of no
spyware program that will remove it. Can you send a report to MS by
opening MSAS, go to Tools, Suspected Spyware Report ?

Give this a shot : run MSAS in Normal mode, reboot the system and do
another scan with it in Safe Mode. Also, while in Safe Mode, click on
Tools, Advanced Tools, Browser Hijack Restore Settings Restore. Click on
the entries in the left frame either one by one or use the Check all
box. Then one by one, click on the Settings on the left, then the Change
Restore Settings to a New URL link on the right. Enter your preferred
settings.
Reboot to Normal mode and if the warning reappears, go back to Browser
Hijack Restore Settings and click the Restore button. See if that makes
your desired settings stick.

If you need further assistance with about:blank, please let me know.

Steve Wechsler (akaMowGreen)
MVP Windows Server
AumHa VSOP
 
Steve said:
Marvin said:
Playing devil's advocate I took a fully patched XP SP2
system and allowed it to get hi-jacked. This hi-jack
changed my default URL to about:blank and my page
to "Search for". Now if I open a web browser not only do I
get redirected to this "Search for" page but I also get
pop-ups. This particular spyware or whatever it's called
turned off my pop up blocker, which was enabled and set to
medium.
I then installed Microsoft Anti-Spyware on this box and
allowed it time to download any definitions. After this I
performed a system scan. MSAS didn't detect any spyware on
my system. I ran another scan and got the same thing. I
ran HiJackThis and got the following .dll entries in my
registry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95FCE1C0-0EE0-4943-A68E-
BAFBD0024F92} - C:\WINDOWS\system32\akmn.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%
\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"

After deleting these entries and rebooting the system I
opened MSAS to begin another system scan and was advised
that the following threat was detected:

Possible browser hijack: (Browser Hijacker)
Threat Level High
Internet Explorer Start Page: about:blank

I elected to remove it and was advised of its removal. I
open a web browser and see my default URL. Immediately
after this I get notices from MSAS that it has ALLOWED my
URL to be changed from the default to about:blank based on
my settings!!!! I then get another notice advising that
akmn.dll was blocked from changing the URL to about:blank.
I start another scan and MSAS detects nothing. So I'm
convinced that it doesn't see akmn.dll and sp.dll as
threats. I delete these from the Local & Windows\System32
directory, perform a registry search and delete for
akmn.dll and sp.dll, Re-run HiJackThis, delete the same
crap, reboot, and restart the scan. The same thing
happens.
I go to Advanced tools, click Browser HiJack Restore and
check my default URL to be my start page. I then click
Restore and open a web browser to see my default page.
Notice: akmn.dll
Notice: An Internet Explorer change has been allowed:
Old URL: www.mysite.com
New URL: about:blank

At this point I'm so frustrated I sling the computer out
the window, grab a bottle of hennessy and a cigar, and go
sit on the front porch.
Click to expand...

Marvin,

Must be warm where you are ;) You're a brave guy, Marvin. The latest
variant of about:blank is very difficult to remove and I know of no
spyware program that will remove it. Can you send a report to MS by
opening MSAS, go to Tools, Suspected Spyware Report ?

Give this a shot : run MSAS in Normal mode, reboot the system and do
another scan with it in Safe Mode. Also, while in Safe Mode, click on
Tools, Advanced Tools, Browser Hijack Restore Settings Restore. Click
on the entries in the left frame either one by one or use the Check
all box. Then one by one, click on the Settings on the left, then the
Change Restore Settings to a New URL link on the right. Enter your
preferred settings.
Reboot to Normal mode and if the warning reappears, go back to Browser
Hijack Restore Settings and click the Restore button. See if that
makes your desired settings stick.

If you need further assistance with about:blank, please let me know.
Click to expand...

LOL.......even funnier..............
 
Hi,

Not to be rude, but I think if you played devil's
advocate with viruses you may get the same outcome...,
One broken computer (even if the computer was cleaned).

I just wanted to note that the definition list of MSAS in
still in beta stages. Some detected "spyware" will show
as a threat/hazardous if the server has no definition for
the item. This of course is being updated.

Its obvious here that the beta product currently does not
remove all associations of the about:blank issue as a
trigger is still activated and MSAS is believes
this "trigger" is a legit process.

Hopefully they will update the definitions for this
issue. Best of luck.


-----Original Message-----
Playing devil's advocate I took a fully patched XP SP2
system and allowed it to get hi-jacked. This hi-jack
changed my default URL to about:blank and my page
to "Search for". Now if I open a web browser not only do I
get redirected to this "Search for" page but I also get
pop-ups. This particular spyware or whatever it's called
turned off my pop up blocker, which was enabled and set to
medium.
I then installed Microsoft Anti-Spyware on this box and
allowed it time to download any definitions. After this I
performed a system scan. MSAS didn't detect any spyware on
my system. I ran another scan and got the same thing. I
ran HiJackThis and got the following .dll entries in my
registry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\DOCUME~1\MARVIN~1.CUM\LOCALS~1
\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {95FCE1C0-0EE0-4943-A68E-
BAFBD0024F92} - C:\WINDOWS\system32\akmn.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%
\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"

After deleting these entries and rebooting the system I
opened MSAS to begin another system scan and was advised
that the following threat was detected:

Possible browser hijack: (Browser Hijacker)
Threat Level High
Internet Explorer Start Page: about:blank

I elected to remove it and was advised of its removal. I
open a web browser and see my default URL. Immediately
after this I get notices from MSAS that it has ALLOWED my
URL to be changed from the default to about:blank based on
my settings!!!! I then get another notice advising that
akmn.dll was blocked from changing the URL to about:blank.
I start another scan and MSAS detects nothing. So I'm
convinced that it doesn't see akmn.dll and sp.dll as
threats. I delete these from the Local & Windows\System32
directory, perform a registry search and delete for
akmn.dll and sp.dll, Re-run HiJackThis, delete the same
crap, reboot, and restart the scan. The same thing
happens.
I go to Advanced tools, click Browser HiJack Restore and
check my default URL to be my start page. I then click
Restore and open a web browser to see my default page.
Notice: akmn.dll
Notice: An Internet Explorer change has been allowed:
Old URL: www.mysite.com
New URL: about:blank

At this point I'm so frustrated I sling the computer out
the window, grab a bottle of hennessy and a cigar, and go
sit on the front porch.
.
Click to expand...
 
To fix your problem...

Go into MS AntiSpyware:
Tools -> Advanced Tools -> Browser Hijack Restore and
change all the restore pages to relevent ones (as a
defailt antispyware will revert them back to the nasty
ones from when it was installed) i.e.
http://www.google.com/ for the start page & search page
and http://www.google.com/ie for the search assistant...

Check all & Restore All

Restart in safe mode and manually remove the following
entries using HijackThis:

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\DOCUME~1
\MARVIN~1.CUM\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = res://C:\DOCUME~1
\MARVIN~1.CUM\LOCALS~1\Temp\sp.dll/sp.html

Click Start -> Run & Type In "C:\DOCUME~1
\MARVIN~1.CUM\LOCALS~1\Temp\"
Select all files and delete them

Restart again and you should be clean...
 
Steve Wechsler [MVP] wrote on 12-Jan-2005 6:33 PM:
Marvin,

Must be warm where you are ;) You're a brave guy, Marvin. The latest
variant of about:blank is very difficult to remove and I know of no
spyware program that will remove it. Can you send a report to MS by
opening MSAS, go to Tools, Suspected Spyware Report ? ....

Steve Wechsler (akaMowGreen)
MVP Windows Server
AumHa VSOP
Click to expand...

Brave, um, yes, that's the word. This is CoolWebSearch. CoolWebSearch
has many variants. You can try the new CWShredder
(http://www.intermute.com/spysubtract/cwshredder_download.html) which
*might* work, but I have only had repeatable success by detecting the
offending secret CWS files and then deleting them by booting an
alternate OS like the BartPE bootable maintenance environment.

Dealing with CoolWebSearch is a demanding task. CWS is updated as soon
as new vulnerabilities are published and established removal tools are
successful. Apparently these Russians make enough money from their pr0n
advertising to keep some pretty good programmers ahead of the
vulnerability curve.

It will probably take Microsoft an effort equivalent to bringing MSAS to
bear on all other malware, to beat CWS. It is the ultimate challenge.

Of course, a resourceful graduate student with admittedly limited
programming skills did it all alone for a couple of years. :-) MS should
hire him and have him advise on combatting future variants.
 
Back
Top