Cannot get rid of about:blank

My (bosses) homepage keeps redirecting to about:blank.  I have run hijackthis, cwshredder, adaware, spybot (all updated before running).  I can get it to go away but it always comes back.  I get very little time on his PC to troubleshoot and it always comes back when I'm not around so I can't pinpoint if it is coming back on it's own which would lead me to believe that it is somewhere on his PC or if he keeps hitting infected websites or popups.  I have been trying to infect my own PC so that I can troubleshoot better but I have had no luck.

Who is Participating?
Computer101Connect With a Mentor Commented:
PAQed with points refunded (500)

EE Admin
Make backup of registry

and Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if it still comes back..

Also check this page  (variant 35)
bshort1023Author Commented:
Sorry, forgot to mention, Win2k sp4.  I believe msconfig is XP only.  Also it seems to be only on one profile.
download it here

also check these registry entries as msconfig checks these


bshort1023Author Commented:
Where will I find the HiJackThis log?  In the local folder I created for HiJackThis I see a file with no extension, a dll and an inf.
Once you finish running hijackthis , many entries will be listed.
Below that click on save log and save it as a text file. then copy that and paste it here
tell your boss to stop looking at the porn sites ;)
Tim HolmanCommented:
IE > Tools > Internet Options > 'Use Blank' causes this.

Is your boss expecting something else as a homepage ?  Does it say 'about:blank' in IE > Tools > Internet Options ?

Are you sure he's not using something like Web Washer or History Killer to cover his tracks ?

This doesn't seem anything out of the ordinary to me.  If he had malware or was surfing dodgy sites, then his homepage would be set to something a lot more interesting and devious than about:blank, eg or something ?
bshort1023Author Commented:
He may very well be surfing porn sites but he's not going to tell me that.  I have now seen him go into internet options and change the homepage to  Close IE and open it back up and about:blank is back.  Sometimes it comes right back sometimes it takes a while.  Although the address bar reads about:blank the actual page is a shopping/search page.  I believe it is one of the CoolWebSearch pages.  I am very surprised that CWShredder dows not resolve this issue.
Tim HolmanCommented:
OK.  The HijackThis log will be the only way for us to tell you how to remove this.  There's going to be a dodgy entry in there somewhere that's hijacking your browser.
Probably best to send him an email to tell him how to do this so this can be resolved quickly.  It's not too tricky to use - just install HiJackThis, run it, DON'T TICK ANYTHING, and generate a log file.  Post it up here and we can tell you which boxes need ticking to rescue IE !!
bshort1023Author Commented:
Logfile of HijackThis v1.97.7
Scan saved at 7:29:52 AM, on 4/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\SurfControl\Web Filter\schedservice.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B18DFA1-50CE-40D7-9D36-7B0F70626CD9} - C:\WINNT\system32\leeen.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Microsoft Outlook.lnk = MSOffice2K\PFiles\MSOffice\Office\OUTLOOK.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Display Web Filter Icon in System Tray.lnk = C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
O16 - DPF: NetCharts -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Here's the catch, I can remove everything having to do with leeen.dll from here and even delete leeen.dll (from safemode) and it comes back later but with a different name (i.e. nfci.dll).  Something is creating these dll's.
Tim HolmanCommented:
Fortunately, there's an easy fix for this:

1)  Close all browser entries
2)  Use HiJackThis to remove all the leeen.dll entries
3)  Reboot into safe mode following the instructions here. & navigate to & delete C:\WINDOWS\System32\leeen.dll

..or whatever leeen.dll has decided to call itself again..  ;)
bshort1023Author Commented:
Your link does not go to a good page, but I have deleted that dll from safe mode.  It still comes back (in another form) later on.

Found a file in system32 this morning called "load.exe".  Wasn't sure what this was.  I checked a few other Win2k PC's and did not find it on those.  I renamed it to "load.bad" and rebooted (I was waiting for it to crash) and so far it has been fine.

I won't believe this is fixed until it goes a few days at least without the problem.
based on the load.exe file, that sounds like a variant of the nimda virus... also found the troj.doal virus ( that could be related to the load.exe file, however, the symptoms do not sound like what is occuring here.  I would recommend going to and running their online scanner (Housecall) to see if it picks up any viruses. Odds are, it will most likely find something. If it finds any viruses, you should be able to do a search for the virus name listed via the online scanner in Trends virus encyclopedia and follow the cleaning directions from there.

Hope this helps...
see for the information related to the nimda virus...
and while I am at it... is the original strain of the virus, could be what is hitting the pc also....
Tim HolmanCommented:
There appear to be at least two viruses / browser hijacks on his system !!
Don't worry about the link that didn't work - it was just instructions on how to get into safe mode, which you've done anyway...
bshort1023Author Commented:
I have already run McAfee's latest dat files and have come up with nothing new.  When this whole thing started it did find something called Adware-CWS and quarantined it.

With auditing turned on an entry gets created in the Event Viewer that shows the new dll being created.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            4/19/2004
Time:            3:49:49 PM
User:            (User name removed)
Computer:      (Computer name removed)
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\WINNT\system32\hhhinn.dll
       New Handle ID:      1532
       Operation ID:      {0,595673}
       Process ID:      1512
       Primary User Name:      XXX
       Primary Domain:      XXX
       Primary Logon ID:      XXX
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses            READ_CONTROL
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
       Privileges            -

As I am writing this I am running another virus scan (McAfee) on the c: drive and it has found Adware-SearchX which I see jhas just been discovered in the latest dat release as a "potentially unwanted program".  The stranger part is that they are in the hijack-this folder on the c: drive.  They are backup-long string of #'s.dll.  It also found all of the old .dll's that my boss keeps renaming as xxx.bad (instead of xxx.dll).

I'll clean these out and see what happens.

Tim HolmanCommented:
The thing is, some viruses will prevent anti-virus programs from detecting them, which is why your scans are running clean.
I recommend you download and run Stinger from NAI.

This will go beyond standard AV programs (especially if they themselves are infected) and run a scan regardless.
bshort1023Author Commented:
Stinger didn't find anything.

Regular McAfee found all of the offending dll's and deleted them (from Safe Mode) but they came back again.

We may be at the point to frag this machine and re-install the OS.
>>  I am very surprised that CWShredder dows not resolve this issue.

The same tool solved the issue here  http:Q_20950237.html

Not sure if you had updated the tool after installing and then tried .. post back
Tim HolmanCommented:
Runnning stinger in safe mode will get rid of most known nasty viruses.
However, as none of this is picking up anything, it's quite possible this machine is infected by a root-kit or back door of some sort that is masking itself by modifiying file headers to make it look like there have been no file changes.
Could even be that the av program itself has been compromised, and just keeps putting things back.
I think a reinstall would be a good idea !
We never did a netstat -an to see whether or not there are open ports trying to propogate this virus ?
depending on the nature of the virus too, I have seen viruses int he past that have dropped themselves via code that is buried in actual code on the computer (ie HTML, Javascript, etc) that reexecutes the virus whenever one of those pages with code is run.. possible that it could be returning this way... is the only one that I have noticed with the Adware-SearchX virus listed. Both Norton and Trend do not have it listed. Try doing a virus scan from here - and see if it detects it under any other name. I know trend usually gives directions for manually cleaning up most viruses. Worth a shot, however, I would problably just to a reinstall myself by this point ;)
Hey Everyone!

I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again.
Finally I found the proper way to get rid of this virus.
The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:

Open reglite and paste this value in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Then double click:

You should be able to see a file with this address:


Clean your system with all the previous anti-virus programs.
Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
Reboot your system and open reglite again, go back to the same key:
Now delete the value.

That should do the trick      
Sohel RanaCommented:

Here is the solution, I think :

bshort1023Author Commented:
Thanks for the reglite rsdn and dcobian.  Unfortunately I already wiped the PC that was infected so I have no way to test.  I had another PC with similar (not exact) issues and I ran reglite.  Under AppInit_dlls is NVDESK32.dll.  This appears to be from NVIDIA which is the video card he has.  I shouldn't delete that should I?  What exactly gets put into AppInit_dlls?

What is the status of this question, as it has been ages since the last post? If you have any questions on how to properly close a question, assistance can be found at
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: dcobian{http:#10980022}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

as the user posted that they wiped their PC clean and had no way to test any further recommendations, it is my belief that this post should be Close/Refunded instead of awarding points...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.