We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Cannot get rid of about:blank

bshort1023 asked
Medium Priority
Last Modified: 2007-12-19
My (bosses) homepage keeps redirecting to about:blank.  I have run hijackthis, cwshredder, adaware, spybot (all updated before running).  I can get it to go away but it always comes back.  I get very little time on his PC to troubleshoot and it always comes back when I'm not around so I can't pinpoint if it is coming back on it's own which would lead me to believe that it is somewhere on his PC or if he keeps hitting infected websites or popups.  I have been trying to infect my own PC so that I can troubleshoot better but I have had no luck.

Watch Question

Top Expert 2004

Top Expert 2004

Make backup of registry

and Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

Top Expert 2004

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if it still comes back..

Also check this page http://www.spywareinfo.com/~merijn/cwschronicles.html  (variant 35)
Top Expert 2004



Sorry, forgot to mention, Win2k sp4.  I believe msconfig is XP only.  Also it seems to be only on one profile.
Top Expert 2004

download it here  http://www.techadvice.com/win2000/m/msconfig_w2k.htm

also check these registry entries as msconfig checks these




Where will I find the HiJackThis log?  In the local folder I created for HiJackThis I see a file with no extension, a dll and an inf.
Top Expert 2004

Once you finish running hijackthis , many entries will be listed.
Below that click on save log and save it as a text file. then copy that and paste it here
tell your boss to stop looking at the porn sites ;)

IE > Tools > Internet Options > 'Use Blank' causes this.

Is your boss expecting something else as a homepage ?  Does it say 'about:blank' in IE > Tools > Internet Options ?

Are you sure he's not using something like Web Washer or History Killer to cover his tracks ?

This doesn't seem anything out of the ordinary to me.  If he had malware or was surfing dodgy sites, then his homepage would be set to something a lot more interesting and devious than about:blank, eg www.ifantasiseaboutmonkeys.com or something ?


He may very well be surfing porn sites but he's not going to tell me that.  I have now seen him go into internet options and change the homepage to msn.com.  Close IE and open it back up and about:blank is back.  Sometimes it comes right back sometimes it takes a while.  Although the address bar reads about:blank the actual page is a shopping/search page.  I believe it is one of the CoolWebSearch pages.  I am very surprised that CWShredder dows not resolve this issue.

OK.  The HijackThis log will be the only way for us to tell you how to remove this.  There's going to be a dodgy entry in there somewhere that's hijacking your browser.
Probably best to send him an email to tell him how to do this so this can be resolved quickly.  It's not too tricky to use - just install HiJackThis, run it, DON'T TICK ANYTHING, and generate a log file.  Post it up here and we can tell you which boxes need ticking to rescue IE !!


Logfile of HijackThis v1.97.7
Scan saved at 7:29:52 AM, on 4/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\SurfControl\Web Filter\schedservice.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B18DFA1-50CE-40D7-9D36-7B0F70626CD9} - C:\WINNT\system32\leeen.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Microsoft Outlook.lnk = MSOffice2K\PFiles\MSOffice\Office\OUTLOOK.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Display Web Filter Icon in System Tray.lnk = C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
O16 - DPF: NetCharts -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.2438541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Here's the catch, I can remove everything having to do with leeen.dll from here and even delete leeen.dll (from safemode) and it comes back later but with a different name (i.e. nfci.dll).  Something is creating these dll's.

Fortunately, there's an easy fix for this:

1)  Close all browser entries
2)  Use HiJackThis to remove all the leeen.dll entries
3)  Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/ts...2409420406 & navigate to & delete C:\WINDOWS\System32\leeen.dll

..or whatever leeen.dll has decided to call itself again..  ;)


Your link does not go to a good page, but I have deleted that dll from safe mode.  It still comes back (in another form) later on.

Found a file in system32 this morning called "load.exe".  Wasn't sure what this was.  I checked a few other Win2k PC's and did not find it on those.  I renamed it to "load.bad" and rebooted (I was waiting for it to crash) and so far it has been fine.

I won't believe this is fixed until it goes a few days at least without the problem.
based on the load.exe file, that sounds like a variant of the nimda virus... also found the troj.doal virus (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DOAL.A&VSect=T) that could be related to the load.exe file, however, the symptoms do not sound like what is occuring here.  I would recommend going to www.antivirus.com and running their online scanner (Housecall) to see if it picks up any viruses. Odds are, it will most likely find something. If it finds any viruses, you should be able to do a search for the virus name listed via the online scanner in Trends virus encyclopedia and follow the cleaning directions from there.

Hope this helps...
see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.E for the information related to the nimda virus...
and while I am at it... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A is the original strain of the virus, could be what is hitting the pc also....

There appear to be at least two viruses / browser hijacks on his system !!
Don't worry about the link that didn't work - it was just instructions on how to get into safe mode, which you've done anyway...


I have already run McAfee's latest dat files and have come up with nothing new.  When this whole thing started it did find something called Adware-CWS and quarantined it.

With auditing turned on an entry gets created in the Event Viewer that shows the new dll being created.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            4/19/2004
Time:            3:49:49 PM
User:            (User name removed)
Computer:      (Computer name removed)
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\WINNT\system32\hhhinn.dll
       New Handle ID:      1532
       Operation ID:      {0,595673}
       Process ID:      1512
       Primary User Name:      XXX
       Primary Domain:      XXX
       Primary Logon ID:      XXX
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses            READ_CONTROL
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
       Privileges            -

As I am writing this I am running another virus scan (McAfee) on the c: drive and it has found Adware-SearchX which I see jhas just been discovered in the latest dat release as a "potentially unwanted program".  The stranger part is that they are in the hijack-this folder on the c: drive.  They are backup-long string of #'s.dll.  It also found all of the old .dll's that my boss keeps renaming as xxx.bad (instead of xxx.dll).

I'll clean these out and see what happens.


The thing is, some viruses will prevent anti-virus programs from detecting them, which is why your scans are running clean.
I recommend you download and run Stinger from NAI.


This will go beyond standard AV programs (especially if they themselves are infected) and run a scan regardless.


Stinger didn't find anything.

Regular McAfee found all of the offending dll's and deleted them (from Safe Mode) but they came back again.

We may be at the point to frag this machine and re-install the OS.
Top Expert 2004

>>  I am very surprised that CWShredder dows not resolve this issue.

The same tool solved the issue here  http:Q_20950237.html

Not sure if you had updated the tool after installing and then tried .. post back

Runnning stinger in safe mode will get rid of most known nasty viruses.
However, as none of this is picking up anything, it's quite possible this machine is infected by a root-kit or back door of some sort that is masking itself by modifiying file headers to make it look like there have been no file changes.
Could even be that the av program itself has been compromised, and just keeps putting things back.
I think a reinstall would be a good idea !
We never did a netstat -an to see whether or not there are open ports trying to propogate this virus ?
depending on the nature of the virus too, I have seen viruses int he past that have dropped themselves via code that is buried in actual code on the computer (ie HTML, Javascript, etc) that reexecutes the virus whenever one of those pages with code is run.. possible that it could be returning this way...

www.nai.com is the only one that I have noticed with the Adware-SearchX virus listed. Both Norton and Trend do not have it listed. Try doing a virus scan from here - http://housecall.trendmicro.com/ and see if it detects it under any other name. I know trend usually gives directions for manually cleaning up most viruses. Worth a shot, however, I would problably just to a reinstall myself by this point ;)

Hey Everyone!

I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again.
Finally I found the proper way to get rid of this virus.
The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:


Open reglite and paste this value in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Then double click:

You should be able to see a file with this address:


Clean your system with all the previous anti-virus programs.
Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
Reboot your system and open reglite again, go back to the same key:
Now delete the value.

That should do the trick      

Here is the solution, I think :




Thanks for the reglite rsdn and dcobian.  Unfortunately I already wiped the PC that was infected so I have no way to test.  I had another PC with similar (not exact) issues and I ran reglite.  Under AppInit_dlls is NVDESK32.dll.  This appears to be from NVIDIA which is the video card he has.  I shouldn't delete that should I?  What exactly gets put into AppInit_dlls?

What is the status of this question, as it has been ages since the last post? If you have any questions on how to properly close a question, assistance can be found at https://www.experts-exchange.com/help.jsp#hs5
Top Expert 2005

No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: dcobian{http:#10980022}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

as the user posted that they wiped their PC clean and had no way to test any further recommendations, it is my belief that this post should be Close/Refunded instead of awarding points...
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.