• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2469
  • Last Modified:

Web Site keeps displaying and IE Home Page changes to about-blank.ws

It appears I have an IE Browser Hijack which I am finding extremely difficult to get rid of. Several related items are occuring on my PC.
1)   Every few minutes while dialed-in to the net, web site keeps displaying in a new IE window. This sites says I have accessed an illegal Pedo Site and the FBI are tracking my net activities. I know this to be untrue, so I suspect Spyware is doing this.
2)  My home web page is changed to about-blank.ws  In my attempts to fix this, home page changed to freednshost.info page.
3)  The following Shortcuts appear on the desktop, Debt Solutions, Party Poker.com and Party Poker which all take you to site and there is also a Shortcut for "You have visited an illegal Pedo site" which takes you to

I have run SpyBot S&D 1.2, Ad-aware 6.181 and SpyHunter and Nortons Internet Security 2004 and all of them have not been able to fix this problem.

I would appreciate it very much if someone could please help me solve this annoying issue. I have run HiJack This and fixed the usual "Search' reg entries, but they came back. I didn't dare fix anything else I was not sure about.

Brian, Melbourne Australia
  • 3
  • 3
  • 3
  • +1
2 Solutions
Gareth GudgerCommented:
A). I recommend running some spyware/adware software first:

Spybot @ www.safer-networking.org


Ad-aware @ www.lavasoftusa.com


PestPatrol @ http://www.safersite.com/Downloads/Eval/DownloadHomeEvalNew.asp


Hijack This - http://www.spychecker.com/program/hijackthis.html

Gareth GudgerCommented:
Also check your machine for viruses. Make sure your virus definitions are up to date.
bsligarAuthor Commented:
Thank you for your quick response.
I have already run Spybot, Ad-Aware and Notons Anti-virus today. Anti-virus defs are dated 7 April 2004 and I have auto update on. None of these solved the problem.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

This is a CoolWebSearch variant, variant# 35, techinically. Here is the write-up from Merijn.org's CWS page on this version:
Variant 35: CWS.Aboutblank - It's just a fad
Approx date first sighted: March 2, 2004
Log reference: Reconstruction
Symptoms: IE pages changed to about-blank.ws and (1-se.com), hijack returning on system restart
Cleverness: 5/10
Manual removal difficulty: Involves some Registry editing and deleting a randomly named file
Identifying lines in HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.ws/
O1 - Hosts: 1-se.com
O1 - Hosts: 58q.com
O1 - Hosts: aifind.cc
O1 - Hosts: aifind.info
O1 - Hosts: allneedsearch.com
O1 - Hosts: approvedlinks.com
O1 - Hosts: www.wazzupnet.com
O1 - Hosts: www.websearch.com
O1 - Hosts: www.windowws.cc
O1 - Hosts: www.xgmm.com
O1 - Hosts: xwebsearch.biz
O1 - Hosts: yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt  

This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.
Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.  
You need CWShredder from Merijn to get rid of this. It's the only thing that will do it:
bsligarAuthor Commented:

I have followed your instructions and downloaded CWShredder and ran it.
The output report reads;

Removed from your system:
- CWS.Googlems
- CWS.Aboutblank
- 17 infected IE registry values

Windows XP (5.01.2600 SP1)
CWShredder v1.56.1
Written by Merijn - merijn@spywareinfo.com

I also ran HiJack This, and this is what it is now showing;   Does it all look OK???  I have been connected to the net for 10mins now and no web pages are poping up. This is a good sign.  

 Logfile of HijackThis v1.97.7
Scan saved at 7:32:13 PM, on 9/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Well, I am not the best person at recognizing every running process and startup application that the HijackThis log generates, but to me, it looks good. I had a question on one of the BHO objects (browser helper objects):  
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

I looked that one up here:
and it was listed as not being spyware, technically. It is for an HP and/or Veritas object. Is this an HP/Compaq machine?

So, CWShredder got rid of  17 objects, so you "should" be fine now, but remember, you can get re-spywared later on. You need to be careful with your browsing. Run Ad-Aware every couple of days. Run a popup blocker (they really do help keeping the junk off). Get and stay up-to-date on Windows and IE patches from Microsoft.

Glad it's working.
Gareth GudgerCommented:
Its part of the HP CD burning software I believe for an HP CD burner.
Dale MaySecurityCommented:
Also you may want to install the sun Java program.  Microsoft ended thier support of Java January 1st 2004.  Uninstall the Microsoft version first then go to www.sun.com for the lastest version.  d_may
bsligarAuthor Commented:
Joseph,  Everything is now running as normal. Thank you very much for your help in solving my problem. I have an external HP CD Burner attached to my DELL 8300 PC using RecordNow burning software. diggisaur, you are correct with your comment.   Thanks d_may for your tip on how to replace my Java MV. This item can be closed now and Joseph will be awarded the most points. Thanks everyone for your time and help.
Cool! Good luck in the future on staying clean.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now