MS Antispyware doesn't remove about:blank spybot.


W

wpostma

We have a machine which contains spyware which can't be
removed by MS ANTISPYWARE BETA 1. Every time MS
ANTISPYWARE runs it finds the following three spyware
bits:



Trojan.intell32 Trojan more information...
Status: Removed
Severe threat - Severe-risk items have an extreme
potential for harm, such as a security exploit, and
should be removed.

Infected files detected
c:\system volume information\_restore{eabcab45-42a4-472a-
8674-85ad723a5f23}\rp232\a0017918.exe


Transponder.ABetterInternet.Aurora Adware more
information...
Status: Removed
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-
6542:3:224.355-159623:2:224.271
HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode CA
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd '>-
,ÀÀÍZ^ÌZ^"~Á-Àfݾ?Üo>o
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 50
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 5701
HKEY_CURRENT_USER\Software\aurora AUL3a5stMotsSDay 12
HKEY_CURRENT_USER\Software\aurora AUP3D5om .?"-
^?'?",<^YÌ'Y
HKEY_CURRENT_USER\Software\aurora AUB3D5om >??ZS>">??"S-
ÜT?ZTf<T?Á?.
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S lstlogdt%
3D20050812%26cntp%3Ddialup%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S fstcidt%
3D1123893142593%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky3S 1-
1123842314-9749:337729:9125:78786:11252:2592000-
59897:164987


PowerReg Scheduler Potentially Unwanted Software more
information...
Details: PowerReg Scheduler is a registration system used
by some legitimate software programs.
Status: Quarantined
Moderate threat - Moderate-risk items have some potential
for harm, but may be part of a wanted service. Users may
decide to ignore such programs after review.

Infected files detected
c:\system volume information\_restore{eabcab45-42a4-472a-
8674-85ad723a5f23}\rp234\a0018015.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.

I re-run the scan and it finds them all over again.

It appears from reading on the web we have the
about:blank spyware on this system and others. It changes
the IE homepage to about:blank, and pops up ads, and
other stuff. Even after latest MS ANTISPY updates, it
can't remove this. It removes them, then we scan again,
and they are immediately back. There is a random-letter
named exe that when killed from the task manager, it
immediately respawns and renames itself. Nothing is
found in any Norton Anti-Virus scans. We're stumped.
The only info on removing the ABOUT:BLANK we can find on
the web is from dodgy sources.


Warren
 
Ad

Advertisements

R

Ron Chamberlin

Hi,
Let's start the easy way here.

First and foremost, under your present circumstances, go to Control Panel
and shut off System Restore* for a bit. That appears, from your posting, to
be where most of the junk is residing.

If you can get it on the machine, CCCleaner may help in your case.

Reboot into Safe Mode (F8 at startup), empty your temp and temp internet
folders, and do a full scan.

Let us know how you make out, and then you can start boxing around the nail,
ABI issue.


Ron Chamberlin
MS-MVP


*just to clarify that I don't usually kill off System Restore at this stage
of the chase, but if it's clearly acting as a hideout for critters, it's
getting closed for a bit.
..
We have a machine which contains spyware which can't be
removed by MS ANTISPYWARE BETA 1. Every time MS
ANTISPYWARE runs it finds the following three spyware
bits:



Trojan.intell32 Trojan more information...
Status: Removed
Severe threat - Severe-risk items have an extreme
potential for harm, such as a security exploit, and
should be removed.

Infected files detected
c:\system volume information\_restore{eabcab45-42a4-472a-
8674-85ad723a5f23}\rp232\a0017918.exe


Transponder.ABetterInternet.Aurora Adware more
information...
Status: Removed
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUs3t5icky4S 1-
6542:3:224.355-159623:2:224.271
HKEY_CURRENT_USER\Software\aurora AUE3v5nt 0
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSBath 10000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSysSInf 2000
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSCheckSIn 45
HKEY_CURRENT_USER\Software\aurora AUT3h5rshSMots 100
HKEY_CURRENT_USER\Software\aurora AUL3n5Title 60
HKEY_CURRENT_USER\Software\aurora AU3N5a7tionSCode CA
HKEY_CURRENT_USER\Software\aurora AUD3s5tSSEnd '>-
,ÀÀÍZ^ÌZ^"~Á-Àfݾ?Üo>o
HKEY_CURRENT_USER\Software\aurora AUC3u5rrentSMode 1
HKEY_CURRENT_USER\Software\aurora AUC3n5trMsgSDisp 50
HKEY_CURRENT_USER\Software\aurora AUC3n5tFyl 0
HKEY_CURRENT_USER\Software\aurora AUM3o5deSSync 9
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUL3a5stSSChckin 5701
HKEY_CURRENT_USER\Software\aurora AUL3a5stMotsSDay 12
HKEY_CURRENT_USER\Software\aurora AUP3D5om .?"-
^?'?",<^YÌ'Y
HKEY_CURRENT_USER\Software\aurora AUB3D5om >??ZS>">??"S-
ÜT?ZTf<T?Á?.
HKEY_CURRENT_USER\Software\aurora AUs3t5icky1S lstlogdt%
3D20050812%26cntp%3Ddialup%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky2S fstcidt%
3D1123893142593%26
HKEY_CURRENT_USER\Software\aurora AUs3t5icky3S 1-
1123842314-9749:337729:9125:78786:11252:2592000-
59897:164987


PowerReg Scheduler Potentially Unwanted Software more
information...
Details: PowerReg Scheduler is a registration system used
by some legitimate software programs.
Status: Quarantined
Moderate threat - Moderate-risk items have some potential
for harm, but may be part of a wanted service. Users may
decide to ignore such programs after review.

Infected files detected
c:\system volume information\_restore{eabcab45-42a4-472a-
8674-85ad723a5f23}\rp234\a0018015.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.

I re-run the scan and it finds them all over again.

It appears from reading on the web we have the
about:blank spyware on this system and others. It changes
the IE homepage to about:blank, and pops up ads, and
other stuff. Even after latest MS ANTISPY updates, it
can't remove this. It removes them, then we scan again,
and they are immediately back. There is a random-letter
named exe that when killed from the task manager, it
immediately respawns and renames itself. Nothing is
found in any Norton Anti-Virus scans. We're stumped.
The only info on removing the ABOUT:BLANK we can find on
the web is from dodgy sources.


Warren
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top