Homepage hijack - blank.mht

[Guest]

I have been infected with the dreaded about:blank. Running XP home edition
SP1 and using McAfee virus software. Symptoms are:
1. Every logon when the Explorer shell comes up, the virus puts a rogue
blank.mht file in c:windows. This can be deleted but gets put back every
fresh logon. It is used when the virus activates, to populate the pop-up.
2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
are always corrupted so my home page is hijacked. I have written a "reg"
file to correct the registry so I can continue more or less as normal, but I
am no nearer to a final fix.
Anyone got a clue about this please?
(Lots of hits on Google but they all seem to want to sell something - who
knows they may even be in partnership with the virus writer!!!)
I

 

[Guest]

I have been infected with the dreaded about:blank. Running XP home edition
SP1 and using McAfee virus software. Symptoms are:
1. Every logon when the Explorer shell comes up, the virus puts a rogue
blank.mht file in c:windows. This can be deleted but gets put back every
fresh logon. It is used when the virus activates, to populate the pop-up.
2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
are always corrupted so my home page is hijacked. I have written a "reg"
file to correct the registry so I can continue more or less as normal, but I
am no nearer to a final fix.
Anyone got a clue about this please?
(Lots of hits on Google but they all seem to want to sell something - who
knows they may even be in partnership with the virus writer!!!)
I

Hi,
Try to see if your Coonections/DNS Server is Hijacked by these Viral
Malwares, to do that Right Click on your Internet Connection and select
Properties then click on Networking Tab and Highlight the TCP/IP and click
Properties Button.
On the TCP/IP Proeprties window under General Tap see if your IP set to
automatic or set to static and your DNS settings.
Normally the Malware will issue the IP address from range 62.255.112.201 -
82.234.112.201 some odd IPs try to remove them and if you use a DNS get it
from your ISP provider.
Also click on Advanced Button and see the DNS,WINs settings there.
Here a lot of answers for Hijacked Homepages
http://www.microsoft.com/communitie...&pt=&catlist=&dglist=&ptlist=&exp=&sloc=en-us
HTH.
Please let us know as your feedback help others.
Thank you.
Regards,
nass

 

[Rock]

I have been infected with the dreaded about:blank. Running XP home edition
SP1 and using McAfee virus software. Symptoms are:
1. Every logon when the Explorer shell comes up, the virus puts a rogue
blank.mht file in c:windows. This can be deleted but gets put back every
fresh logon. It is used when the virus activates, to populate the pop-up.
2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
are always corrupted so my home page is hijacked. I have written a "reg"
file to correct the registry so I can continue more or less as normal, but
I
am no nearer to a final fix.
Anyone got a clue about this please?
(Lots of hits on Google but they all seem to want to sell something - who
knows they may even be in partnership with the virus writer!!!)

http://www.elephantboycomputers.com/page2.html#Removing_Malware

You're best choice might be to run HijackThis and post the log to one of the
specialty forums for it, not this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

 

[David H. Lipman]

From: "mathsgames" <[email protected]>

| I have been infected with the dreaded about:blank. Running XP home edition
| SP1 and using McAfee virus software. Symptoms are:
| 1. Every logon when the Explorer shell comes up, the virus puts a rogue
| blank.mht file in c:windows. This can be deleted but gets put back every
| fresh logon. It is used when the virus activates, to populate the pop-up.
| 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
| are always corrupted so my home page is hijacked. I have written a "reg"
| file to correct the registry so I can continue more or less as normal, but I
| am no nearer to a final fix.
| Anyone got a clue about this please?
| (Lots of hits on Google but they all seem to want to sell something - who
| knows they may even be in partnership with the virus writer!!!)
| I
| --
| mathsgames



If you are using any version of Sun Java that is prior to JRE Version 5.0 update 10,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 5.0 Update 10

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_10

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Guest]

Thanks to all who replied. My Java in c:\programs\java - one folder only -
is j2re1.4.2_03 so I guess this is ok.
My own internet traffic - via AOL - works fine. So I guess my normal IP
addressing is working - and all my DNS / URL stuff works.
One extra symptom of this virus -- it seems to have a clock wakeup - after
about 10 mins of "normal" internet work up pops the rogue window claiming to
have some top value anti virus software at a killer price. Once I have
removed the rogue mht file and Registry entries all works fine again -- until
another ten minutes have passed. Does this extra infor ring any bells
please??

--
mathsgames

From: "mathsgames" <[email protected]>

| I have been infected with the dreaded about:blank. Running XP home edition
| SP1 and using McAfee virus software. Symptoms are:
| 1. Every logon when the Explorer shell comes up, the virus puts a rogue
| blank.mht file in c:windows. This can be deleted but gets put back every
| fresh logon. It is used when the virus activates, to populate the pop-up.
| 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
| are always corrupted so my home page is hijacked. I have written a "reg"
| file to correct the registry so I can continue more or less as normal, but I
| am no nearer to a final fix.
| Anyone got a clue about this please?
| (Lots of hits on Google but they all seem to want to sell something - who
| knows they may even be in partnership with the virus writer!!!)
| I
| --
| mathsgames



If you are using any version of Sun Java that is prior to JRE Version 5.0 update 10,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 5.0 Update 10

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_10

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Malke]

Thanks to all who replied. My Java in c:\programs\java - one folder only
- is j2re1.4.2_03 so I guess this is ok.
My own internet traffic - via AOL - works fine. So I guess my normal IP
addressing is working - and all my DNS / URL stuff works.
One extra symptom of this virus -- it seems to have a clock wakeup - after
about 10 mins of "normal" internet work up pops the rogue window claiming
to have some top value anti virus software at a killer price. Once I have
removed the rogue mht file and Registry entries all works fine again --
until
another ten minutes have passed. Does this extra infor ring any bells
please??

I guess you didn't see David Lipman's answer. Follow his instructions. Your
Java is badly outdated and you need to clean up your machine. With the
additional information you've provided, I'd also suggest that you run these
specific removal steps also:

http://www.elephantboycomputers.com/page2.html#Smitfraud_Trojan

Malke

 

[David H. Lipman]

From: "mathsgames" <[email protected]>

| Thanks to all who replied. My Java in c:\programs\java - one folder only -
| is j2re1.4.2_03 so I guess this is ok.
| My own internet traffic - via AOL - works fine. So I guess my normal IP
| addressing is working - and all my DNS / URL stuff works.
| One extra symptom of this virus -- it seems to have a clock wakeup - after
| about 10 mins of "normal" internet work up pops the rogue window claiming to
| have some top value anti virus software at a killer price. Once I have
| removed the rogue mht file and Registry entries all works fine again -- until
| another ten minutes have passed. Does this extra infor ring any bells
| please??
|

No, JRE v4 update 3 [ j2re1.4.2_03 ] is NOT OK. It is falwed with vulnerabilities that are
actively being exploited.

It must be removed ASAP via the Control Panel applet "Add/Remove Programs" and v5 update 10
installed to replace it.

The use the removal tools I suggested as you are still infected and you vulnerable version
of Sun Java may have been exploited to get you infected.

 

[Guest]

OK David. I will upgrade my Java and report back. I noticed a proc called
"jusched.exe" in my Startup list. I think this is normally a valid Java
updates scheduler. It may well be timed also. Maybe it is being used by the
Virus.

 

[David H. Lipman]

From: "mathsgames" <[email protected]>

| OK David. I will upgrade my Java and report back. I noticed a proc called
| "jusched.exe" in my Startup list. I think this is normally a valid Java
| updates scheduler. It may well be timed also. Maybe it is being used by the
| Virus.

"jusched.exe" is valid IF it eminates from a Java 'bin' folder such as;
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
If it is another location then it could ber malware as malware does use that name to
obfuscate its malicious intent.

 

[Guest]

Hi David, I have replaced my old Java with J2SE Kit 5.0 update 10 from the
web link you gave . The active proc 'jusched.exe' is sourced in the folder
of the new java - so that's okay. However the problems still remain:
1. On invocation of the Desktop shell (explorer.exe) the rogue blank.mht
file is still added into the c:windows folder -- every time.
2. There are still pop-ups inviting me to fix probs by downloading software.
One other thing I noticed -- the popups have the big X window close button
greyed out -- of course - why make it easy -- but when I closed one of them
from TaskManager I noticed the rogue task title was:
' http://www.oemtop.com/2/shop.php ' Does this ring any bells??
By the way I looked at your submission on '
http://www.elephantboycomputers.com/page2.html#Smitfraud_Trojan , and noticed
that it leans on McAfee for support. Remember I did say that I have paid
McAfee for real time support (they download new profiles as available) so far
for 2 years and they have protected me until now. I run their virus
checker every evening after business and it often finds something and deletes
it -- but next day this one is back. Grrrrrr.
One thing - do you know which is the correct Registry source for activating
EXPLORER.exe
please?

 

[David H. Lipman]

From: "mathsgames" <[email protected]>

| Hi David, I have replaced my old Java with J2SE Kit 5.0 update 10 from the
| web link you gave . The active proc 'jusched.exe' is sourced in the folder
| of the new java - so that's okay. However the problems still remain:
| 1. On invocation of the Desktop shell (explorer.exe) the rogue blank.mht
| file is still added into the c:windows folder -- every time.
| 2. There are still pop-ups inviting me to fix probs by downloading software.
| One other thing I noticed -- the popups have the big X window close button
| greyed out -- of course - why make it easy -- but when I closed one of them
| from TaskManager I noticed the rogue task title was:
| ' http://www.oemtop.com/2/shop.php ' Does this ring any bells??
| By the way I looked at your submission on '
| http://www.elephantboycomputers.com/page2.html#Smitfraud_Trojan , and noticed
| that it leans on McAfee for support. Remember I did say that I have paid
| McAfee for real time support (they download new profiles as available) so far
| for 2 years and they have protected me until now. I run their virus
| checker every evening after business and it often finds something and deletes
| it -- but next day this one is back. Grrrrrr.
| One thing - do you know which is the correct Registry source for activating
| EXPLORER.exe
| please?

What anti malware scanners have you executed besides the reatail McAfee software you already
have ?

 

[Guest]

David, I used to use Spyware Doctor but there were conflicts with McAfee.
For this new problem I have only used McAfee and AOL Spyware protection -
which occasionally finds things. I am reluctant to pick up any other Spyware
because of earlier conflict experience. Repeating my previous Q - can you
please tell me which Registry entry is the official one for bringing up the
desktop shell - EXPLORER.exe?
Thank you.

 

[David H. Lipman]

From: "mathsgames" <[email protected]>

| David, I used to use Spyware Doctor but there were conflicts with McAfee.
| For this new problem I have only used McAfee and AOL Spyware protection -
| which occasionally finds things. I am reluctant to pick up any other Spyware
| because of earlier conflict experience. Repeating my previous Q - can you
| please tell me which Registry entry is the official one for bringing up the
| desktop shell - EXPLORER.exe?
| Thank you.
|

So you haven't used; SpyBot S&D, Ad-aware SE, SuperAntiSpyware or any of the scanner within
the Multi AV Scanning Tool.

I *WANT* you to do the above ASAP !


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe