CWS & about.blank return

[david]

A friend with winxp has about.blank and CWS on her computer. In safe mode I
turned off restore and ran CWShredder 1.59. It only found 6 IE pages to
restore. Then HiJackThis and only found two questionable items to remove.
Then ran stinger. It found no problems. Ran SBS&D 1.3 and Ad-Aware. Fixed
everything they found. Went to Internet options and fixed the home page.
Installed MVP HOSTS and SpyWareBlaster 3.1. Rebooted and things looked OK.
Home page is MSN and she uses hotmail. Disconnected and reconnected several
times and without problems.

Then I went to Google and searched for a model airplane. SBS&D teatimer
popped up with requests to change the homepage and the install a BHO. I
denied both of them. Disconnected from the internet and ran SBS&D and
Ad-Aware. Spybot did not find anything but Ad-Aware found 9 problems. Fixed
those and tried again. Same things happened but this time the Ad-Aware
errors grew to 12. Fixed these and booted to Safe Mode. Ran SWShredder but
it did not find and fix anything. Ran HiJackThis but there were no new
entries. Rebooted and tried the internet and search again. Same thing
happened. We did look at a few more sites and had a few more teatimer
pop-ups that were denied. The Ad-Aware scan this time found 16 problems; two
to change the homepage and the rest for CWSearch.

How can I resolve this? Please do not imply that we are surfing porn. She
says that she does not do that. I only went to google and the last search
used MSN search.

David

 

[Kevin]

With the System Restore feature disabled and running CoolWeb Shredder,
Spybot Search and Destroy and Ad-aware, as well as using HiJack This! and
Spyware Blaster, you shouldn't be seeing anything at all on the system.
When I run my copies of Ad-aware, Spybot S & D and Spyware Blaster the only
returns I get are in Ad-aware, which finds the same adware in the same
places everytime I scan. They are more or less harmless additions to the
cookies that are loaded on my system everytime I visit the same sites. I
just delete them with each scan. I have not had a hit on Spybot in over six
weeks. Spyware Blaster identifies the same pieces of adware/spyware as
Ad-aware so I simply delete them. Like you, I keep my security applications
updated meticulously. I also run Zone Alarm Pro for my firewall and AVG
Anti-Virus for my virus scanner. AVG has not found a virus in over two
years!

I don't open attachments in emails, even from people I know. I am always
protected by Zone Alarm Pro and I have the security settings in Internet
Explorer set to medium. When I get questionable emails on my Hotmail,
Excite or Yahoo! accounts I delete them without opening them first.

I am sorry that I can't be of much help, but you are doing everything you
should be doing to secure your friends system. Maybe one of the
"old-timers" in the group can help you out. The veterans here are very
good. Good luck!

 

[PA Bear]

Check your system for "hijackware":

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm

CoolWebSearch Chronicles
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run these tools in the following order with nothing else running in
background:

1. CWShredder (fix all found)

2. Ad-Aware (fix all found)

3. Spybot (RTFM but generally fix everything in red)

Important: You *must* seek updates for Ad-Aware, Spybot, etc., before each
and every use, even "right out of the box". But even they can't catch
everything, 24/7. When all else fails, HijackThis
(http://www.spywareinfo.com/~merijn/files/HijackThis.exe) is the preferred
tool to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/ or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

Also:

1. Download and run Stinger (http://vil.nai.com/vil/stinger/); then...

2. Update your virus definitions, enable Show Hidden Files
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
and then run a full system scan in Safe Mode
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
with nothing else running in background.

WinXP Only (WinME similar): If this scan finds anything, create a new
Restore Point then Disk Cleanup > More options > Delete all but the most
recent Restore Point.

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
HTH - Please Reply to This Thread

~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

AumHa Forums
http://forum.aumha.org

What You Should Know About Spyware
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx

 

[Jim Byrd]

Hi David - you might want to consider installing the SpywareBlaster and
SpywareGuard here to help prevent this kind of thing from happening in the
future:

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


Finally, go to Windows Update and ensure that ALL Critical updates are
installed.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In