MVPS Spoof Detection Not Working for MSN Sites?

[ggull]

To see if IE is really where the addressbar claims, the mvps.org site
suggested I paste the following into the addressbar and press enter (or
click on go):

javascript:alert("The real URL of this site is: " + location.protocol + "//"
+ location.hostname + "/");

For most sites, IE asks if it can run a script, which I allow, and it
displays a box with
"The real URL of this site is:" <whatever>

Now something keeps resetting my home page to msn.com, but when I try this I
*don't* get asked if it's ok to run the script, and I get a "This page
cannot be displayed" error.

I did try going to msn.com explicitly (with ctrl-O) and have the same
symptom.

(Somebody also seems to have reset a search function I accidentally invoked
to search.msn.com, and the spoof detect has the same result.)

So --

1) Is this just what msn.com sites do? If so, is there some way to see if
my mystery home page really IS msn.com, or something more sinister?

2) This has been happening for a few weeks, not every time I boot but often
enough to be a nuisance even if it's safe. Is there any way to turn this
off permanently? I keep turning it off in Tools / Internet Options, but it
keeps coming back like bad pizza. I checked the startup tab in msconfig and
I don't thing there's anything suspicious or new, but it's been a while
since I looked at it seriously. SSDPSRV ? *StateMgr ?

 

[Jan Il]

Hi ggull

ABOUT:BLANK

This is a new, very nasty variant of about: blank, for which a cleaning
process has just recently been found that seems to work. Methods that
previously removed it have *not* had any effect on it, so far. This process
is new, and has been extensively tested, but, thus far has helped clean the
virus. You may use at your own risk ... hopefully, these 2 tools do the job.
Follow all instructions carefully.

about:blank
http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Also download, install and immediately update the two programs below:

SpyBot Search & Destroy: Free
http://download.com.com/3000-8022-10289035.html?tag=lst-0-2

AdAware: Free
http://www.lavasoftusa.com/support/download/
HOW TO: Reconfigure Ad-aware for a Full Scan
http://forum.aumha.org/viewtopic.php?t=5877

You should also install and run a HiJackThis log and have it analyzed at the
sites provided.

HiJackThis:

Unzip the Download file in a NEW FOLDER that you can create before you start
the download.
DO NOT install in your Desktop folder.
DO NOT use any of the TEMP folders that are presently in your computer.
Double-click "HijackThis.exe" and Press "Scan".

Go to:
http://computercops.biz/downloads-cat-14.html ,
or
http://www.aumha.org/a/parasite.php#hjt
(If you get a 404 error or Access denied, try:
http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip)

and download HiJackThis to the new folder. Unzip to a folder other than your
Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button. Press that, save the log some place you remember where it is.
Most of what it lists will be harmless or even required, so DO NOT fix
anything yet.

Open the copy of your log in NotePad and make a copy. Then you can go to one
of the following to post your log:

<<PLEASE DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx

You will need to register to open a new thread to post you log. It is free,
and no one will Spam you, it is one of many that provides this service. Once
registered, go to the HiJackThis section on the forum list and click to
open. Then start a new post and post your log. The experts there will
analyze the log and report back the results. Please allow at least a few
hours or a days time for a response, depending on when you post the log

Remember, you must return to the HJT site to get your answer. It is a good
idea to click the "Notify" box so that you will get an electronic
notification by e-mail to let you know when a response has been posted.
But, you must still return to the site of your answer

HJT Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

Security tips and other useful information at
http://mvps.org/winhelp2002/unwanted.htm

Also see.....................

Aboutblank - for Win2K
http://www.akadia.com/services/about_blank_virus.html

RegLite - Use for About blank Registry removal
http://www.resplendence.com/download/reglite.

More information here:
http://www.dbforums.com/showthread.php?s=2872cacc649d4de00da42adf6d8a3303&p=3693696#post3693696

Hope this helps.

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[ggull]

Thanks again, Jan.
I hope this weekend gives me a chance to try out the malware tools you gave
in your reply, make sure I've got the latest install of windows and ie, etc.
But I think the symptom I posted and you seem to be replying to ... that my
browser kept getting reset to msn.com ... is a confusion, not an infection.
Your mentioning about:blank was the clue that helped me figure this out:

1) I had changed my home page in Tools/Internet Options, with the "use
Blank" button. I do this mainly since I'm on a slow dialup (not that msn or
any such generic site would be my choice anyway).
2) I periodically scan with AdAware, as I mentioned, and after an update got
a couple of seemingly innocuous "objects" in my registry that involved
"about : blank". I quarantine and remove them.
3) Later, when I start IE, gosh darn it but it goes directly to msn.com,
instead of the blank page.
4) I reset the home page, and all goes well.
5) Sometime later I re-scan with AdAware ...
5a) Got to step 2 and repeat endlessly.

This doesn't happen all in quick succession, so I didn't notice the
causative cycle.

The missing info is what AdAware (or IE) does when you "remove" these
flagged registry entries, and what IE does when you set the home page.
They're apparently the lines that set the home page to about : blank, and
when they're removed IE uses the default ... which is msn.com.
When I then reset my home page to blank, that puts those lines back in the
registry, and the cycle continues.

I guess AdAware scans for references to "about : blank" and flags those, but
isn't smart enough to see what's being done with them. It does the same
thing with the MVPS Hosts file, just noticing that a naughty site is
mentioned in a line, and not recognizing that the line is telling the
browser to avoid the naughty site.

For the while, I've set my home page to an arbitrary html file on my own
computer. This way if I'm actually hijacked I can be sure that's what's
happening, but all seems cool so far.

gg

 

[Jan Il]

Hi ggull

Thanks again, Jan.
I hope this weekend gives me a chance to try out the malware tools
you gave in your reply, make sure I've got the latest install of
windows and ie, etc. But I think the symptom I posted and you seem to
be replying to ... that my browser kept getting reset to msn.com ...
is a confusion, not an infection. Your mentioning about:blank was the
clue that helped me figure this out:

1) I had changed my home page in Tools/Internet Options, with the "use
Blank" button. I do this mainly since I'm on a slow dialup (not that
msn or any such generic site would be my choice anyway).
2) I periodically scan with AdAware, as I mentioned, and after an
update got a couple of seemingly innocuous "objects" in my registry
that involved "about : blank". I quarantine and remove them.
3) Later, when I start IE, gosh darn it but it goes directly to
msn.com, instead of the blank page.
4) I reset the home page, and all goes well.
5) Sometime later I re-scan with AdAware ...
5a) Got to step 2 and repeat endlessly.

This doesn't happen all in quick succession, so I didn't notice the
causative cycle.

The missing info is what AdAware (or IE) does when you "remove" these
flagged registry entries, and what IE does when you set the home page.
They're apparently the lines that set the home page to about : blank,
and when they're removed IE uses the default ... which is msn.com.
When I then reset my home page to blank, that puts those lines back
in the registry, and the cycle continues.

I guess AdAware scans for references to "about : blank" and flags
those, but isn't smart enough to see what's being done with them. It
does the same thing with the MVPS Hosts file, just noticing that a
naughty site is mentioned in a line, and not recognizing that the
line is telling the browser to avoid the naughty site.

For the while, I've set my home page to an arbitrary html file on my
own computer. This way if I'm actually hijacked I can be sure that's
what's happening, but all seems cool so far.

Very good work! That would tend to fit with what is happening. The
about:blank uses the default about:blank to do it's dirty work, so you are
most likely correct in that Adaware may now be wiping these homepage
settings as part of the cleaning process. I suppose it is one more of the
ills that goes with a cure. As most do not use the about:blank, they
probably do not notice the relation between the two factors. This may also
shed some light on why some who do use it as well, are still seeing such
events on a clean machine. Thereby, creating a state of confusion on both
ends of the dilemma. It will be very interesting to see what comes about
after running the rest of the programs and doing the HiJackThis.

Just to let you know, I will be leaving for vacation early tomorrow morning,
but, if you need help then, LuckyStrike will be looking out for those who
may still be in need of help, and there are a lot of others here that will
also be keeping an eye out. Just so you will know if I don't respond. But,
please do let us know what the outcome of this is and your findings. I will
be back checking when I return. But, I will be checking things today.

Good luck!

Jan

Smiles are meant to be shared,
that is why the are so contagious.

 

[ggull]

Just to let you know, I will be leaving for vacation early tomorrow morning,
but, if you need help then, LuckyStrike will be looking out for those who
may still be in need of help, and there are a lot of others here that will
also be keeping an eye out. Just so you will know if I don't respond. But,
please do let us know what the outcome of this is and your findings. I will
be back checking when I return. But, I will be checking things today.

Dust off your angel wings, and have a good and safe time, Jan.
I doubt I'll post again today, but I will when I have anything negative or
positive to report.
I'm not too panicked -- if there is something ginchy going on, it's been so
for a while, and any horrid damage is done. And I don't type in a lot of
info useful to spybot masters, like credit cards.

cheers,
gg

 

[Jan Il]

Hi ggull

Here is some more information on the AdAware situation, and thougtht I'd
pass it on in case you have not tried this yet.

=============================
Courtesy of Steve Wechsler - MS MVP

When AdAware is done scanning one can select to add
about:blank to the Ignore list by right clicking the entry in the list. If
one
does not do this when you go to the next step it WILL reset the home
page.
=================================

I thought if you have not tried this yet, you might see if it will stop
AdAware from resetting the homepage.

Hope this helps.

Jan

Smiles are meant to be shared,
that is why the are so contagious.

 

[ggull]

Thanks, it's a good idea and I had actually thought of it (or run across the
suggestion) -- I decided to go the other route, putting in an arbitrary
local url as homepage, just in case something hostile is messing with
about:blank.

This way, I will *know* something is snarky if the homepage gets reset or
AdAware starts finding "about:blank" in my registry. And what the heck, it
takes maybe a second to load from my own HD, as opposed to a minute or so
from MSN.

 

[Jan Il]

Hi ggull

Dust off your angel wings, and have a good and safe time, Jan.
I doubt I'll post again today, but I will when I have anything
negative or positive to report.
I'm not too panicked -- if there is something ginchy going on, it's
been so for a while, and any horrid damage is done. And I don't type
in a lot of info useful to spybot masters, like credit cards.

Thank You!

I know I am leaving you in very good hands, and that you'll get this
resolved soon. Thank you for all your patience and hard work.

Jan

 

[Jan Il]

Hi ggull

Here is the information on the AdAware situation with the homepage, so maybe
this will shed a bit more light on this issue for you.

Hope this will provide a bit more help for you.

Jan

Smiles are meant to be shared,
that is why they are so contagious.

 

[Ray]

I did search for all files created on 8/14/2004, which is
when I started having the "about:blank" problem. Of
those files I deleted those listed below and the problem
was eliminated. Unfortunately I lost the info about
where the files came from. The .dll file is probably the
culprit anyway.

1)1033_professional_0_gss3_small_banner.gif
2)a0020322.inf
3)a0020323.pnf
4)ar3.jar-724f57b4-adde00.idx
5)ar3.jar-724f57b4-adde00.zip
6)inf3.pnf
7)newsheadlines_1033_professional.xml
8)owindowsupdate[1].xml
9)Perflib_Perfdata_86c.dat
10)plgp.dll
11)urlscan.081404.log