Go Premium for a chance to win a PS4. Enter to Win


Web Site keeps displaying and IE Home Page changes to about-blank.ws

Posted on 2004-04-08
Medium Priority
Last Modified: 2013-12-04
It appears I have an IE Browser Hijack which I am finding extremely difficult to get rid of. Several related items are occuring on my PC.
1)   Every few minutes while dialed-in to the net, web site keeps displaying in a new IE window. This sites says I have accessed an illegal Pedo Site and the FBI are tracking my net activities. I know this to be untrue, so I suspect Spyware is doing this.
2)  My home web page is changed to about-blank.ws  In my attempts to fix this, home page changed to freednshost.info page.
3)  The following Shortcuts appear on the desktop, Debt Solutions, Party Poker.com and Party Poker which all take you to site and there is also a Shortcut for "You have visited an illegal Pedo site" which takes you to

I have run SpyBot S&D 1.2, Ad-aware 6.181 and SpyHunter and Nortons Internet Security 2004 and all of them have not been able to fix this problem.

I would appreciate it very much if someone could please help me solve this annoying issue. I have run HiJack This and fixed the usual "Search' reg entries, but they came back. I didn't dare fix anything else I was not sure about.

Brian, Melbourne Australia
Question by:bsligar
  • 3
  • 3
  • 3
  • +1
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 80 total points
ID: 10789204
A). I recommend running some spyware/adware software first:

Spybot @ www.safer-networking.org


Ad-aware @ www.lavasoftusa.com


PestPatrol @ http://www.safersite.com/Downloads/Eval/DownloadHomeEvalNew.asp


Hijack This - http://www.spychecker.com/program/hijackthis.html

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10789206
Also check your machine for viruses. Make sure your virus definitions are up to date.

Author Comment

ID: 10789243
Thank you for your quick response.
I have already run Spybot, Ad-Aware and Notons Anti-virus today. Anti-virus defs are dated 7 April 2004 and I have auto update on. None of these solved the problem.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Accepted Solution

Joseph_Moore earned 440 total points
ID: 10789447
This is a CoolWebSearch variant, variant# 35, techinically. Here is the write-up from Merijn.org's CWS page on this version:
Variant 35: CWS.Aboutblank - It's just a fad
Approx date first sighted: March 2, 2004
Log reference: Reconstruction
Symptoms: IE pages changed to about-blank.ws and (1-se.com), hijack returning on system restart
Cleverness: 5/10
Manual removal difficulty: Involves some Registry editing and deleting a randomly named file
Identifying lines in HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.ws/
O1 - Hosts: 1-se.com
O1 - Hosts: 58q.com
O1 - Hosts: aifind.cc
O1 - Hosts: aifind.info
O1 - Hosts: allneedsearch.com
O1 - Hosts: approvedlinks.com
O1 - Hosts: www.wazzupnet.com
O1 - Hosts: www.websearch.com
O1 - Hosts: www.windowws.cc
O1 - Hosts: www.xgmm.com
O1 - Hosts: xwebsearch.biz
O1 - Hosts: yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt  

This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.
Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.  
You need CWShredder from Merijn to get rid of this. It's the only thing that will do it:

Author Comment

ID: 10789979

I have followed your instructions and downloaded CWShredder and ran it.
The output report reads;

Removed from your system:
- CWS.Googlems
- CWS.Aboutblank
- 17 infected IE registry values

Windows XP (5.01.2600 SP1)
CWShredder v1.56.1
Written by Merijn - merijn@spywareinfo.com

I also ran HiJack This, and this is what it is now showing;   Does it all look OK???  I have been connected to the net for 10mins now and no web pages are poping up. This is a good sign.  

 Logfile of HijackThis v1.97.7
Scan saved at 7:32:13 PM, on 9/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Expert Comment

ID: 10790833
Well, I am not the best person at recognizing every running process and startup application that the HijackThis log generates, but to me, it looks good. I had a question on one of the BHO objects (browser helper objects):  
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

I looked that one up here:
and it was listed as not being spyware, technically. It is for an HP and/or Veritas object. Is this an HP/Compaq machine?

So, CWShredder got rid of  17 objects, so you "should" be fine now, but remember, you can get re-spywared later on. You need to be careful with your browsing. Run Ad-Aware every couple of days. Run a popup blocker (they really do help keeping the junk off). Get and stay up-to-date on Windows and IE patches from Microsoft.

Glad it's working.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10791168
Its part of the HP CD burning software I believe for an HP CD burner.

Expert Comment

by:Dale May
ID: 10792379
Also you may want to install the sun Java program.  Microsoft ended thier support of Java January 1st 2004.  Uninstall the Microsoft version first then go to www.sun.com for the lastest version.  d_may

Author Comment

ID: 10794294
Joseph,  Everything is now running as normal. Thank you very much for your help in solving my problem. I have an external HP CD Burner attached to my DELL 8300 PC using RecordNow burning software. diggisaur, you are correct with your comment.   Thanks d_may for your tip on how to replace my Java MV. This item can be closed now and Joseph will be awarded the most points. Thanks everyone for your time and help.

Expert Comment

ID: 10795541
Cool! Good luck in the future on staying clean.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question