|
Posted by on December 19, 2004, 8:27 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
My Internet explorer was recently 'infected' with spyware that turned
my homepage to "About:blank". I tried the usual spyware removal tools
without success.
Today I finally got rid of it, so I'd like to share what I know about
it (I did not keep track of all that I did, but I hope this brief
summary may help anyone with the same infection):
- Everything starts with an unauthorized installation of an Internet
Explorer toolbar or BHO (Browser Helper Object). After it was installed
I went to add/remove programs and uninstalled it. However, although the
toolbar disappeared, the BHO entry in the registry remained and some
exes and dlls.
- This spyware has two exe files (c:\winnt\system32\ntmw.exe and
c:\winnt\system\winen32.exe). They are added to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
RunOnce registry keys respectively. These exes apparently create dlls
with random names in C:\winnt (a new one is created when you get rid of
the 'current'). The 'current' dll is the BHO that creates the
Internet explorer registry entries for the homepage, searchpage and
others (in HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main). You will find the name of the current dll using
hijackThis or using Regedit and going the Internet Explorer/Main key.
The dll entries in the registry are of the form
res://c:\winnt\xxxxx.dll/sp.html#28129 (where xxxxx.dll is the name of
the library).
- The dlls appear to be COM objects (but not all the normal COM
registry keys are present, they can be unregistered with regsvr32 -u
), are hidden and the 'modified date' seems to be random. They are 55
kB in size.
- I used three tools from sysinternals.com to track and remove this:
pslist, pskill and regmon. Regmon keeps track of programs that access
the registry. If you track the Internet Explorer homepage key it seems
that Iexplore.exe is setting it to about:blank. The key to finding the
exes was to track a key in the registry that was next to the
InprocServer key for the dll called Data/MD (sorry I did not copy the
CLSID).
- To remove the spyware started Internet explorer, removed the entries
for the dll in the registry, killed the ntmw and then winen32
processes, deleted the exes and then removed the two entries for the
exes in the registry.
Two sites that are linked in the About:Blank page are
www.onemoresearch.net, www.rb37.com
I hope this helps.
Germán Vera
|
|
Posted by bensmyth on December 20, 2004, 9:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
> My Internet explorer was recently 'infected' with spyware that turned
> my homepage to "About:blank". I tried the usual spyware removal tools
> without success.
I assume you are not talking about Internet Explorer's "about:blank" page??
(Tools --> Internet Options --> <Use Blank>)
This is what my IE homepage is set too... AdAware seems to mark it as
spyware everytime it runs! I only use IE when it fails to load in Firefox -
which is, annoyingly, far to often!
Ben
|
| Similar Threads | Posted | | Is about:blank Loading Spyware? | July 22, 2004, 7:50 am |
| New at Spyware, need help | June 28, 2004, 8:46 am |
| What to do with spyware *loaded* PC? | January 30, 2005, 3:36 pm |
| SPYWARE and SpectorPro5 | October 26, 2005, 6:11 am |
| n3monap23.exe and j0z.biz - spyware found? | January 31, 2005, 2:37 pm |
| Spyware and virus killer | February 23, 2005, 11:02 am |
| Spyware/Virus Infestation | March 6, 2005, 5:13 am |
| XP's built-in spyware | March 10, 2005, 6:13 am |
| want to share a spyware story? | March 29, 2005, 8:30 am |
| Computer problem Spyware | April 14, 2005, 1:33 pm |
|
XML site map