About:Blank takes over My Space page

Hi All

I'm back. I'm hoping someone can explain what is going on with my computer and maybe offer a solution.

I use window Vista Home premium and AOL.

About:Blank takes over the computer. It floods the computer with pages. The only way out is to shut down by killing the power and then restarting. The problem occurs when my daughter opens her My Space page. She doesn't need to access any other pages. Immediately upon restart I ran MalwareBytes-AntiMalware. SpyBot S&D, And Adaware. Other than a few tracking cookies, they don't find anything. I then ran SuperAntiSpyware in safe mode. It didn't find anything either. Avast doesn't find anything.

The computer works fine after restarting until she opens her My Space again. My solution is to stop using My Space. Apparently that isn't an option for a 16 yr old.

After the one attack I posted here. http://www.bleepingcomputer.com/forums/t/189368/got-hit-with-aboutblank/ It has happend once more since then. Scans found nothing and the computer works fine.

So what's going on? How can About:Blank flood my computer with pages to the point that I have to kill the power and yet there is nothing showing as an infection on my computer? And the bigger question, is there anyway around this?

Also, I had been using firefox (not because of this problem) but had problems with it and had to uninstall. http://www.bleepingcomputer.com/forums/t/188283/firefox-stops-responding/

Thanks
Mike

Edited by Mike_K, 02 January 2009 - 10:02 AM.

Hello Mike.

Let's run a few tests and see what we can find.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Reset Hosts File
Some infections will put malicious lines into your hosts files. We will reset your hosts file with HostsXpert.

• Please down load HostsXpert.zip to your desktop and unzip the contents.
• A folder named HostsXpert will be created. Open it and run HostsXpert.exe by double clicking it.
• Click on the botton Make Writeable? .
• Click Restore Microsoft's Hosts File.
• Close out of the window.

If you have added modifications to your hosts file, they will need to be re-added

Download and Run SmitFruadFix Scan

• Please download SmitFraudFix by S!Ri to your desktop.
• Double click the icon to run it.
• Select Option 1 by typing 1 and hitting Enter.
• When the scan is complete, a log file will appear. Please copy the contents of the log into your next post.

Install MVSP Hosts File
This custom hosts file blocks out the domains of many malicious websites.

Please install the hosts file refering to the directions given here.

---

With Regards,
The Panda

Edited by PropagandaPanda, 02 January 2009 - 01:11 PM.

I have only seen About Blank problems that involved malware on the computer. Try the below and see if the ads still appear.

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that AVG deletes)
Click OK to exit

Then run a scan with Super Antispyware to remove all of the ad/tracking cookies that are now installed.

Reinstall Firefox and install two addons. NoScript addon and Adblock Plus addon. Once you have Adblock Plus installed, open its preferences and choose one of its filter subscriptions. (I use the Easy USA one and it works great)
The NoScript addon will protect you from driveby downloads of malware, popups, and many more types of scripted malware. With those addons and other protections that Firefox has built in, Firefox will be much safer than using IE.

Set Firefox cookie controls. Uncheck "accept third party cookies"

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.

Click start, All programs, Accessories, System tools, Disk Cleanup, Put a check next to all items except "compress old files".
Then allow cleanup to run.

Please post back with results and let us know if you still see the ads.

MySpace and other very popular sites are constantly being attacked by malware. Clicking on links there or just visiting can be very dangerous.

EDIT: I didn't see Propaganda Panda's post until I had posted. Be sure to follow his directions first.

Edited by buddy215, 02 January 2009 - 12:12 PM.

Hello Buddy.

I am a "he" .

The Panda

OOOPS!

Maybe you should grow a beard or something.

*Points at display picture.
That is my beard .

**Cough** back on topic now.

The Panda

Thanks for the quick reply Panda. I had a small family emergency and couldn't get back to you right away.

I did what you said. When I ran HostsXpert.exe I got an error message: Cannot create file C:\Windows\system32\DRIVERS\ET\hosts

I ran SmithFraudFix. Here is the log:

SmitFraudFix v2.388

Scan done at 17:24:33.66, Fri 01/02/2009
Run from C:\Users\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsSyncAgent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\aol\1178157592\ee\aolsoftware.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Owner\AppData\Local\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 10.0.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB893BC3-BD04-4923-94ED-A0DEE7675286}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB893BC3-BD04-4923-94ED-A0DEE7675286}: DhcpNameServer=10.0.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I then Followed the direction for Install MVSP Host Files.

I'll wait to hear back.

Thanks Buddy. I'm going to follow Pandas advice first. It's the beard.

Mike

Hello Mike.

Please give us an update of the symptoms.

Are those About:Blank still appearing? By the way, are they popups? Does it open more Internet Explorer windows? Kindly clarify.

With Regards,
The Panda

Hi Panda.

So far so good. My daughter tried out My Space for the last half hour and had no problems.

The problem before was About:Blank kept opening new IE windows faster than I could click them out.

Is there anything else to do now? Otherwise I'll wait and see if the problem returns.

Thanks

Mike

Edited by Mike_K, 02 January 2009 - 06:50 PM.

Hello Mike.

If the computer has some free time, consider running an online scan.

F-Secure Online Scan
This scan is for Internet Explorer only.

• It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
• Go to F-Secure Online Scanner
• Follow the instructions here for installation.
• Accept the License Agreement.
• Once the ActiveX installs, click Full System Scan
• Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and copy the entire report in your next reply.
• Be sure to re-enable any security programs.

---

Let the computer run for a couple days and see if the problem returns.

With Regards,
The Panda

Thanks Panda

I'll run the scan tonight and post the results tomorrow.

Mike

That's fine with me, Mike.

The Panda

The article below is from a year ago. If your daughters are using an older version of AOL browser, that could be the problem with using Firefox. AOL advised their users to switch to Firefox. You can remove the old AOL software and install a AOL toolbar in Firefox if the kids insist on using the AOL ad platform.

http://www.builderau.com.au/news/soa/AOL-t...feed=pt_firefox
AOL is formally pulling the plug on its historic Web browser and is advising its users to adopt AOL spinoff Mozilla Foundation's Firefox instead.

"AOL's focus on transitioning to an ad-supported Web business leaves little room for the size of investment needed to get the Netscape browser to a point many of its fans expect it to be. Given AOL's current business focus and the success the Mozilla Foundation has had in developing critically-acclaimed products, we feel it's the right time to end development of Netscape-branded browsers, hand the reigns fully to Mozilla, and encourage Netscape users to adopt Firefox," said Netscape's Tom Drapeau in a blog posting Friday................................

Hi Panda,

Here are the scan results

Scanning Report
Saturday, January 03, 2009 08:35:26 - 11:44:40
Computer name: OWNER-PC
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 8 malware found
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
W32/Zlob.gen123 (virus)
C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Submitted)
C:\USERS\OWNER\DESKTOP\SMITFRAUDFIX\AGENT.OMZ.FIX.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 99977
System: 4084
Not scanned: 73

Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 8
Submitted: 2
Files not scanned:
�

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-02
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure AVP: 7.0.171, 2009-01-02
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Did it clean my computer? I clicked automatic cleaning and the screen said the computer was cleaned but the scan results say no action taken. What's up?

Thanks buddy. I'll check it out once I'm done here.

Mike

Hello Mike.

From that I see in that scan log, you are clean. F-Secure detected SmitFaudFix, which has virus signatures.

Any problems at this point?

With Regards,
The panda