A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Performance and Maintainance of XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

"About blank virus"



 
 
Thread Tools Display Modes
  #1  
Old June 3rd 05, 03:59 AM
seborn
external usenet poster
 
Posts: n/a
Default "About blank virus"

Has anyone dealt with the "About Blank Virus"
and can share info on how to get rid of it?
I'm using windows xp.
thanks
Ads
  #2  
Old June 3rd 05, 05:45 AM
Touchbase
external usenet poster
 
Posts: n/a
Default

Hi "seborn"

Archived info: It is long but covers things very throughly. Maybe print it
out and go through it step by step.


From: Jim Byrd
Reply-To: Jim Byrd
Date: Sep 18 2004 - 4:00pm


"Hi Chuck - We've been seeing this a lot lately, and these are very
difficult
CWS parasite variants to remove. Read ALL of this carefully to begin with,
then try about:Blank Specific and then Basic Cleaning, below FIRST and then
ONLY IF NECESSARY Approach 1 and/or Approach 2 and/or Approach 3 and/or
Approach 4 and/or Approach 5.

********Please post back with your results in detail if possible - what you
tried, what happened, how you ended up - so that we'll know better what to
advise others.********

######### IMPORTANT #########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX he

http://www.cexx.org/lspfix.htm

AND a copy of Winsockfix
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip

Directions he http://www.tacktech.com/display.cfm?ttid=257

The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.

#########IMPORTANT#########

Approach 1 - You can try AT YOUR OWN RISK, HSRemove, free, he
http://www.hsremove.com/. "A few days ago I got hijacked - Nothing new in
that, except this time it was a real [censored] to get rid of. - There were
simply no tools available to remove this "Home Search" thing. Finally I
ended up creating my own tool for it. USE IT AT YOUR OWN RISK. And if you
find it helpful, then please do not hesitate to make a contribution."


Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't advise
using a malware provider's uninstall, but this particular approach has been
reported to work ONLY IF you have the about:blank CWS variant (there appear
to be at least three or four currently) which leads you to a Search page.
Paste the following IP into your browser:

195.190.118.131

On the screen you arrive at, you see a "Search For" window, and below it a
red "Uninstall Software". Download their uninstaller, uninstall.exe. At this
point I would either use TotalUninstall or make a complete backup/Restore
Point of my system for safety's sake (on the basis of "at least keep what
you've got"). Total Uninstall, http://www.geocities.com/ggmartau/tu.html or
direct dwnld he http://files.webattack.com/localdl834/tun234.zip

Run this uninstall program that you downloaded from the malware site, then
UPDATE them and go to Safe mode to run UPDATED versions CWShredder, AdAware
and SpyBot per the directions in Basic, below.

Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk

"I had a variant of this CWS.SearchX sucker for about 3 weeks, and I FINALLY
seem to be rid of it for good! It is aka Troj_StartPage.sp and
BackDoor.Agent.BA. This is what I did:

1. Run Regedit, and DELETE the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

The value of this key may look blank for you, but it is not. They hide the
value so you can't see it. This registry key tells Windows to load the
Trojan DLL every time ANY application is run giving it complete control to
do whatever it wants. So you need to remove it so that the Trojan DLL cannot
load and keep re-infecting your PC. The way to remove the registry key is
not obvious. If you just delete it from RegEdit, since the Trojan DLL is
loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs
registry key and hit F5. Notice that it's added right back by the Trojan).

So what you have to do is the following which worked for me (many thanks to
"acomputerpro" at the SpywareInfo.com forums!)

2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
folder to Windows2.

3. Now delete the AppInit_DLLs key under the Windows2 folder.

4. Hit F5 and notice that AppInit_DLLs doesn't come back.

5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is
gone, run the latest AdAware 6 to remove the Trojan for good.

6. Reboot your machine, and check the registry and make sure AppInit_DLLs is
still gone.

Your computer should be free of this for good now. Hope it works for you...
It seemed to do the trick for me!"

Approach 4 - If you've already tried CWShredder to get rid of this parasite
(See below, v.159.0.1 or better and fully updated before use), then take a
look at this thread about manual removal of this parasite:

http://www.akadia.com/services/about_blank_virus.html
and this one: http://www.daniweb.com/techtalkforums/thread5531.html
and this one: http://computercops.biz/article-5199-nested-0-0.html
and this one: http://forum.aumha.org/viewtopic.php?t=6437

Approach 5 - I don't usually recommend anything but freeware that I've
confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, he
http://www.adwareaway.com/ claims to fix it automatically, and several
users
now have reported success using it. I would backup my system before using
it, however - always try to "keep what you've got".

__________________________________

about:Blank Specific fixes:

1) See the procedures he
http://www.pchell.com/support/onlythebest.shtml
and especially he
http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp
Pest Patrol (free) claims to remove at least some of the about:blank
variants

2) Download AboutBuster, he http://www.malwarebytes.biz/AboutBuster.zip
or he http://www.majorgeeks.com/download4289.html Then, "First unzip all
files from the zip folder to a folder or your desktop. Start it and hit ok.
Then hit update. A new screen should popup. On that screen hit Check for
Updates. If it sais it found an update hit Download Updates. If it doesnt it
will automatically tell you and exit. Now for the scanning part. Hit start
and then Ok. The program should start scanning. Then hit exit and reboot.

Once rebooted run about:Buster once more to make sure everything is ok.
The database will be updated very frequently so check your versions once a
day."

3) Download dllfix.exe and CWShredder from he

http://www.renonce.com/pub/utils/dllfix.exe

and http://209.133.47.200/~merijn/files/CWShredder.exe

or http://www.zerosrealm.com/downloads/CWShredder.zip

or http://downloads.subratam.org/CWShredder.exe

Unzip or install dllfix.exe to its own folder, run it and do options 1 and

2. Now proceed with the Basic Cleaning steps, below.

4) It has been reported that the evaluation version of Panda Software's
Titanium Antivirus 2004, he
http://www.pandasoftware.com/registe...ry=Us&sec=down
will completely remove about:blank. I have not been able to independently
verify this yet, however, so this is AT YOUR OWN RISK. You'll have to give
them some information, and I expect you may want to uncheck some of the
"opt-in" boxes at the bottom just above and below the send button.

Basic Cleaning - Note that this symptom often indicates the possibility of
other malware. You might want go to this page at Jim Eshelman's site, he
http://aumha.org/a/noads.htm
or he
http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
patient), while an analysis of a number of possible parasites on your
machine will be made to help you identify and remove them. NOTE: You will
need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad
Blocking software which interferes with Java Scripting for this scan to
work. You should get a message between the two lines of **** giving the
results of the scan.

#########IMPORTANT#########
All of these removal tools should be run from Safe mode when possible.
Reboot and test if the malware is fixed after using each tool.

#########IMPORTANT#########

Download sysclean.com , from Trend Micro, he
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, he http://www.trendmicro.com/download/pattern.asp (You might also
want to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/ ). Place them in a dedicated folder after
appropriate unzipping, and then run. (If you download and use the updater
from the beginning, it will handle downloading the other files.)

For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, he http://www.lavasoftusa.com/support/download/
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 and run this regularly to get
rid of most "spyware/hijackware" on your machine. If it has to fix things,
be sure to re-boot and rerun AdAware again and repeat this cycle until you
get a clean scan. The reason is that it may have to remove things which are
currently "in use" before it can then clean up others.

Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:

General activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"

Scanning activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"

Tweaks Scanning Engine activate this: "Unload recognized processes during
scanning."

Tweaks Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."

Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"

Another excellent program for this purpose is SpyBot Search and Destroy
available he http://security.kolla.de/ SpyBot Support Forum he
http://www.net-integration.net/cgi-b.../ikonboard.cgi . I recommend
using both normally. After UPDATING and fixing ONLY RED things with SpyBot
S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until
you get a clean "no red" scan. The reason is that SpyBot sometimes has to
remove things which are currently "in use" before it can then clean up
others.

Note that sometimes you need to make a judgment call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

A currently common parasite is some malware called CoolWebSearch. Do the
following:

Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

There's a good tutorial about CWS and using CWShredder he
http://www.bleepingcomputer.com/foru...rial=47#domain


BE SURE that you get v.159.0.1 or later!

You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.

The following links give instructions on how to do these various functions:


HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT...01052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT...02092715262339

HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT...01111912274039
(WinXP)
http://service1.symantec.com/SUPPORT...01012513122239
(WinME)

Then download and run:
http://www.kellys-korner-xp.com/regs.../iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Now download and run:
http://www.kellys-korner-xp.com/regs...oreSearch2.REG
to restore your search functions if they've been affected (as they probably
will have
been).

Be sure that you also download and install hotfix Q816093, he

http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.

If they don't fix it then start he

Download HijackThis, free, he
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadge...8baee6434cfc13


In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, he
http://216.180.233.162/~swicom/forums/

or Net-Integration he
http://www.net-integration.net/cgi-b...ST;f=27;t=6949

or Tom Coyote he http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).

*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******

Once you get this cleaned up, you might want to consider installing Eric
Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the futu

IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.

http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or memory load - but keep it UPDATED) The latest version
as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.

http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to install malware) Keep it UPDATED. All three Very
Highly Recommended.
Finally, go to Windows Update and ensure that ALL Critical updates are
installed.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP


"seborn" wrote in message
...
Has anyone dealt with the "About Blank Virus"
and can share info on how to get rid of it?
I'm using windows xp.
thanks



  #3  
Old June 3rd 05, 01:52 PM
Sandman
external usenet poster
 
Posts: n/a
Default

.......I had the 'about.blank' Homepage hijacker also and got some help here;
nothing solved the problem despite the help. CWS Shredder, Spybot, Adaaware
Webroot you can forget those as far as this one is concerned..I posted a
solution i found that WORKED but nobody was interested and I got no response
to the post. Email me if you want the information.
"Touchbase" wrote in message
...
Hi "seborn"

Archived info: It is long but covers things very throughly. Maybe print it
out and go through it step by step.


From: Jim Byrd
Reply-To: Jim Byrd
Date: Sep 18 2004 - 4:00pm


"Hi Chuck - We've been seeing this a lot lately, and these are very
difficult
CWS parasite variants to remove. Read ALL of this carefully to begin with,
then try about:Blank Specific and then Basic Cleaning, below FIRST and

then
ONLY IF NECESSARY Approach 1 and/or Approach 2 and/or Approach 3 and/or
Approach 4 and/or Approach 5.

********Please post back with your results in detail if possible - what

you
tried, what happened, how you ended up - so that we'll know better what to
advise others.********

######### IMPORTANT #########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX he

http://www.cexx.org/lspfix.htm

AND a copy of Winsockfix
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip

Directions he http://www.tacktech.com/display.cfm?ttid=257

The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable

you
to regain your connection.

#########IMPORTANT#########

Approach 1 - You can try AT YOUR OWN RISK, HSRemove, free, he
http://www.hsremove.com/. "A few days ago I got hijacked - Nothing new in
that, except this time it was a real [censored] to get rid of. - There

were
simply no tools available to remove this "Home Search" thing. Finally I
ended up creating my own tool for it. USE IT AT YOUR OWN RISK. And if you
find it helpful, then please do not hesitate to make a contribution."


Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't advise
using a malware provider's uninstall, but this particular approach has

been
reported to work ONLY IF you have the about:blank CWS variant (there

appear
to be at least three or four currently) which leads you to a Search page.
Paste the following IP into your browser:

195.190.118.131

On the screen you arrive at, you see a "Search For" window, and below it a
red "Uninstall Software". Download their uninstaller, uninstall.exe. At

this
point I would either use TotalUninstall or make a complete backup/Restore
Point of my system for safety's sake (on the basis of "at least keep what
you've got"). Total Uninstall, http://www.geocities.com/ggmartau/tu.html

or
direct dwnld he http://files.webattack.com/localdl834/tun234.zip

Run this uninstall program that you downloaded from the malware site, then
UPDATE them and go to Safe mode to run UPDATED versions CWShredder,

AdAware
and SpyBot per the directions in Basic, below.

Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk

"I had a variant of this CWS.SearchX sucker for about 3 weeks, and I

FINALLY
seem to be rid of it for good! It is aka Troj_StartPage.sp and
BackDoor.Agent.BA. This is what I did:

1. Run Regedit, and DELETE the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

The value of this key may look blank for you, but it is not. They hide the
value so you can't see it. This registry key tells Windows to load the
Trojan DLL every time ANY application is run giving it complete control to
do whatever it wants. So you need to remove it so that the Trojan DLL

cannot
load and keep re-infecting your PC. The way to remove the registry key is
not obvious. If you just delete it from RegEdit, since the Trojan DLL is
loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs
registry key and hit F5. Notice that it's added right back by the Trojan).

So what you have to do is the following which worked for me (many thanks

to
"acomputerpro" at the SpywareInfo.com forums!)

2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
folder to Windows2.

3. Now delete the AppInit_DLLs key under the Windows2 folder.

4. Hit F5 and notice that AppInit_DLLs doesn't come back.

5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is
gone, run the latest AdAware 6 to remove the Trojan for good.

6. Reboot your machine, and check the registry and make sure AppInit_DLLs

is
still gone.

Your computer should be free of this for good now. Hope it works for

you...
It seemed to do the trick for me!"

Approach 4 - If you've already tried CWShredder to get rid of this

parasite
(See below, v.159.0.1 or better and fully updated before use), then take a
look at this thread about manual removal of this parasite:

http://www.akadia.com/services/about_blank_virus.html
and this one: http://www.daniweb.com/techtalkforums/thread5531.html
and this one: http://computercops.biz/article-5199-nested-0-0.html
and this one: http://forum.aumha.org/viewtopic.php?t=6437

Approach 5 - I don't usually recommend anything but freeware that I've
confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, he
http://www.adwareaway.com/ claims to fix it automatically, and several
users
now have reported success using it. I would backup my system before using
it, however - always try to "keep what you've got".

__________________________________

about:Blank Specific fixes:

1) See the procedures he
http://www.pchell.com/support/onlythebest.shtml
and especially he
http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp
Pest Patrol (free) claims to remove at least some of the about:blank
variants

2) Download AboutBuster, he http://www.malwarebytes.biz/AboutBuster.zip
or he http://www.majorgeeks.com/download4289.html Then, "First unzip

all
files from the zip folder to a folder or your desktop. Start it and hit

ok.
Then hit update. A new screen should popup. On that screen hit Check for
Updates. If it sais it found an update hit Download Updates. If it doesnt

it
will automatically tell you and exit. Now for the scanning part. Hit start
and then Ok. The program should start scanning. Then hit exit and reboot.

Once rebooted run about:Buster once more to make sure everything is ok.
The database will be updated very frequently so check your versions once a
day."

3) Download dllfix.exe and CWShredder from he

http://www.renonce.com/pub/utils/dllfix.exe

and http://209.133.47.200/~merijn/files/CWShredder.exe

or http://www.zerosrealm.com/downloads/CWShredder.zip

or http://downloads.subratam.org/CWShredder.exe

Unzip or install dllfix.exe to its own folder, run it and do options 1 and

2. Now proceed with the Basic Cleaning steps, below.

4) It has been reported that the evaluation version of Panda Software's
Titanium Antivirus 2004, he

http://www.pandasoftware.com/registe...ry=Us&sec=down
will completely remove about:blank. I have not been able to independently
verify this yet, however, so this is AT YOUR OWN RISK. You'll have to give
them some information, and I expect you may want to uncheck some of the
"opt-in" boxes at the bottom just above and below the send button.

Basic Cleaning - Note that this symptom often indicates the possibility of
other malware. You might want go to this page at Jim Eshelman's site,

he
http://aumha.org/a/noads.htm
or he
http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be
patient), while an analysis of a number of possible parasites on your
machine will be made to help you identify and remove them. NOTE: You will
need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad
Blocking software which interferes with Java Scripting for this scan to
work. You should get a message between the two lines of **** giving the
results of the scan.

#########IMPORTANT#########
All of these removal tools should be run from Safe mode when possible.
Reboot and test if the malware is fixed after using each tool.

#########IMPORTANT#########

Download sysclean.com , from Trend Micro, he
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, he http://www.trendmicro.com/download/pattern.asp (You might also
want to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/ ). Place them in a dedicated folder after
appropriate unzipping, and then run. (If you download and use the updater
from the beginning, it will handle downloading the other files.)

For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, he http://www.lavasoftusa.com/support/download/
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 and run this regularly to get
rid of most "spyware/hijackware" on your machine. If it has to fix things,
be sure to re-boot and rerun AdAware again and repeat this cycle until you
get a clean scan. The reason is that it may have to remove things which

are
currently "in use" before it can then clean up others.

Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the

gear
wheel at the top and check these options to configure Ad-aware for a
customized scan:

General activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"

Scanning activate these: "Scan within archives", "Scan active

processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"

Tweaks Scanning Engine activate this: "Unload recognized processes

during
scanning."

Tweaks Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."

Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found,

click
"Next." The bad files will be listed. Right click the pane and click

"Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"

Another excellent program for this purpose is SpyBot Search and Destroy
available he http://security.kolla.de/ SpyBot Support Forum he
http://www.net-integration.net/cgi-b.../ikonboard.cgi . I recommend
using both normally. After UPDATING and fixing ONLY RED things with SpyBot
S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until
you get a clean "no red" scan. The reason is that SpyBot sometimes has to
remove things which are currently "in use" before it can then clean up
others.

Note that sometimes you need to make a judgment call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm

A currently common parasite is some malware called CoolWebSearch. Do the
following:

Download, UPDATE before running, and run:
http://209.133.47.200/~merijn/files/CWShredder.exe to remove the

parasite.
Be sure to close all instances of IE and OE. You may also get it here if
that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip

There's a good tutorial about CWS and using CWShredder he
http://www.bleepingcomputer.com/foru...rial=47#domain


BE SURE that you get v.159.0.1 or later!

You will need to show Hidden files first and then at the end clear the
malware garbage from your System Restore backups after you've cleaned up.
It's best to perform CWShredder (and most other malware fixers too) from
Safe mode and then reboot. AFTER cleaning things up, then you can disable
and then re-enable System Restore. See ******** below.

The following links give instructions on how to do these various

functions:


HOW TO Restart in Safe Mode
http://service1.symantec.com/SUPPORT...01052409420406

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT...02092715262339

HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or
use the suggested procedure for XP at the ******'s)
http://service1.symantec.com/SUPPORT...01111912274039
(WinXP)
http://service1.symantec.com/SUPPORT...01012513122239
(WinME)

Then download and run:
http://www.kellys-korner-xp.com/regs.../iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Now download and run:
http://www.kellys-korner-xp.com/regs...oreSearch2.REG
to restore your search functions if they've been affected (as they

probably
will have
been).

Be sure that you also download and install hotfix Q816093, he

http://support.microsoft.com/?kbid=816093
which blocks the exploit upon which this parasite family depends.

If they don't fix it then start he

Download HijackThis, free, he
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:

http://www.majorgeeks.com/downloadge...8baee6434cfc13


In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, he
http://216.180.233.162/~swicom/forums/

or Net-Integration he

http://www.net-integration.net/cgi-b...ST;f=27;t=6949

or Tom Coyote he http://forums.tomcoyote.org/index.php?act=idx

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).

*******
ONLY IF you've successfully eliminated the malware, you can now make a

new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For

XP
you can run a Disk Cleanup cycle and then look in the More Options tab.

The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually

create
one before dumping the old possibly infected ones.
*******

Once you get this cleaned up, you might want to consider installing Eric
Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the futu

IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD

adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully.

http://www.javacoolsoftware.com/spywareblaster.html
(Prevents malware Active X installs) (BTW, SpyWareBlaster is not memory
resident ... no CPU or memory load - but keep it UPDATED) The latest

version
as of this writing will
prevent installation or prevent the malware from running if it is already
installed, and it provides information and fixit-links for a variety of
parasites.

http://www.javacoolsoftware.com/spywareguard.html
(Monitors for attempts to install malware) Keep it UPDATED. All three

Very
Highly Recommended.
Finally, go to Windows Update and ensure that ALL Critical updates are
installed.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP


"seborn" wrote in message
...
Has anyone dealt with the "About Blank Virus"
and can share info on how to get rid of it?
I'm using windows xp.
thanks





 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
What is connected to which? kiadau New Users to Windows XP 7 February 14th 07 09:02 PM
how to download virus def to discs The Aussie Girl Windows XP Help and Support 13 March 12th 05 01:19 AM
Turning off virus protection in Security entre Geordie General XP issues or comments 8 February 28th 05 06:30 AM
dealing with the after effects fo a VIRUS sirius Security and Administration with Windows XP 1 February 22nd 05 09:43 AM
New XP Virus? XPUSER8711 Security and Administration with Windows XP 2 February 21st 05 05:49 PM






All times are GMT +1. The time now is 11:08 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.