stubborn about:blank browser hijacker

[lozina]

I'm trying to clean up my friend's laptop from a hell of alot of viruses/trojans he had and I still seem to be getting an about:blank hijacking of his Internet Explorer.

I ran AVG Antivirus, The Cleaner, AdAware SE and finally Hijack this. They all found something which I promptly took care of.

I rebooted then ran Hijack This again and noticed an R3 item and several R0 items re-appeared on the list, incuding somehting about about:blank. So apparantly there is still something which all these tools missed.

What to try now?

 

[ValuedCustomer]

I'd try running Spy-Bot S&D.

 

[Dahak]

You can try also Microsoft Anti Spyare as well as
About Buster
and spybot search and destroy as well.
Aslo go in and clean out all the temp directories as well, there a temp in each user as well as under the hidden folder "local settings" temp in each user

 

[lozina]

oh forgot to mention this is Windows ME, so the microsoft spyware tool is not compatible.

but I'm running SpyBot S&D now and it's picking up yet more stuff! hopefully this will be the final nail in the coffin so I can give this guy his laptop back clean and ready for more abuse!

 

[lozina]

Well I'm still having a problem with this damned about:blank hijacker...

I'm convinced a process called ctfmon.exe is behind some of this... when I use Hijack This to scan one of the entries is a registry key to run ctfmon.exe. I have it fixed (remove it) and I end the current ctfmon.exe process running using process explorer. Then I hit Internet Explorer and immediately that ctfmon.exe process starts up and that registry key returns...

 

[mechBgon]

Try McAfee's manual scanner, preferably while in Safe Mode: instructions Also you may try Webroot Spysweeper, they have a 30-day trial and I think it does work on 98/ME.

 

[Eltano1]

Something that you can do is remove the System restore, and reboot on safe mode, and run all of those proggies all over again. Sometimes those piece of junk will reside on the system restore, and will come back time after time.

Eltano

 

[boomerang]

CCleaner is great for deleting temp files which a lot of bad stuff hangs in also. I run this and turn off System Restore as my first steps. Oh, and run everything in Safe Mode.

 

[Phoenix86]

Run all scans in safe mode with admin rights.

 

[TheLiberalTruth]

Although I wouldn't suggest it, unless you're a glutton for punishment like me, I like to reformat my computer about once a year. You could try that. Make sure you back-up all his/her important files first.
Also, the best defense against spyware/viruses/trojan horses, ect is to teach him/her how to avoid them...and at the very least teach him/her how to run the anti-spyware programs you're using on his/her system.
Good Luck.

 

[Jeff7]

Also download the standalone version of CWShredder. My experiences with about:blank turned out to be the insidious CoolWebSearch.

 

[Nocturnal]

Download and use Spy Sweeper in safe mode. Also use CCleaner to clean out all your temp files.

 

[lozina]

Thanks for all the advice guys!

I just manually moved that ctfmon.exe file out of windows\system then searched the registry for anything pointing to it, then rmeoved those registries (after creating a backup reg file for each one). Rebooted and now it's finally all clean. Ran all those tools again in safe mode and now nothign new is being picked up.

Besides that I defragged the system, installed all the latest windows security/critical updates and sygate personal firewall. He should be good for a while now.

And yeah, I think the first thing I did was clean out the damn temp files. It took a really long time but it freed up about a gig of space! (on a hard drive with only 9 gigs)