Solved

Cannot get rid of about:blank

Posted on 2004-04-12
32
1,011 Views
Last Modified: 2007-12-19
My (bosses) homepage keeps redirecting to about:blank.  I have run hijackthis, cwshredder, adaware, spybot (all updated before running).  I can get it to go away but it always comes back.  I get very little time on his PC to troubleshoot and it always comes back when I'm not around so I can't pinpoint if it is coming back on it's own which would lead me to believe that it is somewhere on his PC or if he keeps hitting infected websites or popups.  I have been trying to infect my own PC so that I can troubleshoot better but I have had no luck.

HELP!
0
Comment
Question by:bshort1023
  • 8
  • 7
  • 7
  • +5
32 Comments
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Make backup of registry

and Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if it still comes back..

Also check this page http://www.spywareinfo.com/~merijn/cwschronicles.html  (variant 35)
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 

Author Comment

by:bshort1023
Comment Utility
Sorry, forgot to mention, Win2k sp4.  I believe msconfig is XP only.  Also it seems to be only on one profile.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
download it here  http://www.techadvice.com/win2000/m/msconfig_w2k.htm

also check these registry entries as msconfig checks these

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
0
 

Author Comment

by:bshort1023
Comment Utility
Where will I find the HiJackThis log?  In the local folder I created for HiJackThis I see a file with no extension, a dll and an inf.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Once you finish running hijackthis , many entries will be listed.
Below that click on save log and save it as a text file. then copy that and paste it here
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
tell your boss to stop looking at the porn sites ;)
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
IE > Tools > Internet Options > 'Use Blank' causes this.

Is your boss expecting something else as a homepage ?  Does it say 'about:blank' in IE > Tools > Internet Options ?

Are you sure he's not using something like Web Washer or History Killer to cover his tracks ?

This doesn't seem anything out of the ordinary to me.  If he had malware or was surfing dodgy sites, then his homepage would be set to something a lot more interesting and devious than about:blank, eg www.ifantasiseaboutmonkeys.com or something ?
0
 

Author Comment

by:bshort1023
Comment Utility
He may very well be surfing porn sites but he's not going to tell me that.  I have now seen him go into internet options and change the homepage to msn.com.  Close IE and open it back up and about:blank is back.  Sometimes it comes right back sometimes it takes a while.  Although the address bar reads about:blank the actual page is a shopping/search page.  I believe it is one of the CoolWebSearch pages.  I am very surprised that CWShredder dows not resolve this issue.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
OK.  The HijackThis log will be the only way for us to tell you how to remove this.  There's going to be a dodgy entry in there somewhere that's hijacking your browser.
Probably best to send him an email to tell him how to do this so this can be resolved quickly.  It's not too tricky to use - just install HiJackThis, run it, DON'T TICK ANYTHING, and generate a log file.  Post it up here and we can tell you which boxes need ticking to rescue IE !!
0
 

Author Comment

by:bshort1023
Comment Utility
Logfile of HijackThis v1.97.7
Scan saved at 7:29:52 AM, on 4/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SurfControl\Web Filter\schedservice.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
S:\MSOffice2K\PFiles\MSOffice\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\leeen.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B18DFA1-50CE-40D7-9D36-7B0F70626CD9} - C:\WINNT\system32\leeen.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Microsoft Outlook.lnk = MSOffice2K\PFiles\MSOffice\Office\OUTLOOK.EXE
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Display Web Filter Icon in System Tray.lnk = C:\Program Files\SurfControl\Web Filter\sctaskbar.exe
O16 - DPF: NetCharts - http://10.1.1.10:8090/surf/NetCharts/classes/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.2438541667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Here's the catch, I can remove everything having to do with leeen.dll from here and even delete leeen.dll (from safemode) and it comes back later but with a different name (i.e. nfci.dll).  Something is creating these dll's.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Fortunately, there's an easy fix for this:

1)  Close all browser entries
2)  Use HiJackThis to remove all the leeen.dll entries
3)  Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/ts...2409420406 & navigate to & delete C:\WINDOWS\System32\leeen.dll

..or whatever leeen.dll has decided to call itself again..  ;)
0
 

Author Comment

by:bshort1023
Comment Utility
Your link does not go to a good page, but I have deleted that dll from safe mode.  It still comes back (in another form) later on.

Found a file in system32 this morning called "load.exe".  Wasn't sure what this was.  I checked a few other Win2k PC's and did not find it on those.  I renamed it to "load.bad" and rebooted (I was waiting for it to crash) and so far it has been fine.

I won't believe this is fixed until it goes a few days at least without the problem.
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
based on the load.exe file, that sounds like a variant of the nimda virus... also found the troj.doal virus (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DOAL.A&VSect=T) that could be related to the load.exe file, however, the symptoms do not sound like what is occuring here.  I would recommend going to www.antivirus.com and running their online scanner (Housecall) to see if it picks up any viruses. Odds are, it will most likely find something. If it finds any viruses, you should be able to do a search for the virus name listed via the online scanner in Trends virus encyclopedia and follow the cleaning directions from there.

Hope this helps...
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.E for the information related to the nimda virus...
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
and while I am at it... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A is the original strain of the virus, could be what is hitting the pc also....
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
There appear to be at least two viruses / browser hijacks on his system !!
Don't worry about the link that didn't work - it was just instructions on how to get into safe mode, which you've done anyway...
0
 

Author Comment

by:bshort1023
Comment Utility
I have already run McAfee's latest dat files and have come up with nothing new.  When this whole thing started it did find something called Adware-CWS and quarantined it.

With auditing turned on an entry gets created in the Event Viewer that shows the new dll being created.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            4/19/2004
Time:            3:49:49 PM
User:            (User name removed)
Computer:      (Computer name removed)
Description:
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\WINNT\system32\hhhinn.dll
       New Handle ID:      1532
       Operation ID:      {0,595673}
       Process ID:      1512
       Primary User Name:      XXX
       Primary Domain:      XXX
       Primary Logon ID:      XXX
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses            READ_CONTROL
                  SYNCHRONIZE
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges            -


As I am writing this I am running another virus scan (McAfee) on the c: drive and it has found Adware-SearchX which I see jhas just been discovered in the latest dat release as a "potentially unwanted program".  The stranger part is that they are in the hijack-this folder on the c: drive.  They are backup-long string of #'s.dll.  It also found all of the old .dll's that my boss keeps renaming as xxx.bad (instead of xxx.dll).

I'll clean these out and see what happens.


 
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
The thing is, some viruses will prevent anti-virus programs from detecting them, which is why your scans are running clean.
I recommend you download and run Stinger from NAI.

http://vil.nai.com/vil/stinger/

This will go beyond standard AV programs (especially if they themselves are infected) and run a scan regardless.
0
 

Author Comment

by:bshort1023
Comment Utility
Stinger didn't find anything.

Regular McAfee found all of the offending dll's and deleted them (from Safe Mode) but they came back again.

We may be at the point to frag this machine and re-install the OS.
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
>>  I am very surprised that CWShredder dows not resolve this issue.


The same tool solved the issue here  http:Q_20950237.html

Not sure if you had updated the tool after installing and then tried .. post back
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Runnning stinger in safe mode will get rid of most known nasty viruses.
However, as none of this is picking up anything, it's quite possible this machine is infected by a root-kit or back door of some sort that is masking itself by modifiying file headers to make it look like there have been no file changes.
Could even be that the av program itself has been compromised, and just keeps putting things back.
I think a reinstall would be a good idea !
We never did a netstat -an to see whether or not there are open ports trying to propogate this virus ?
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
depending on the nature of the virus too, I have seen viruses int he past that have dropped themselves via code that is buried in actual code on the computer (ie HTML, Javascript, etc) that reexecutes the virus whenever one of those pages with code is run.. possible that it could be returning this way...

www.nai.com is the only one that I have noticed with the Adware-SearchX virus listed. Both Norton and Trend do not have it listed. Try doing a virus scan from here - http://housecall.trendmicro.com/ and see if it detects it under any other name. I know trend usually gives directions for manually cleaning up most viruses. Worth a shot, however, I would problably just to a reinstall myself by this point ;)
0
 

Expert Comment

by:dcobian
Comment Utility
Hey Everyone!

I did all previous steps to solve this problem; nothing seemed to work, after a few days I will get the virus again.
Finally I found the proper way to get rid of this virus.
The key is to find the hidden DLL, since there are two, one will be modifying your internet explorer pages and resetting them to about: blank, the other is hidden and loaded at all times, first you need this program:

http://www.resplendence.com/download/reglite.exe

Open reglite and paste this value in the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Then double click:
AppInit_DLLs

You should be able to see a file with this address:

C:\Windows\System32\"Hidden".dll

Clean your system with all the previous anti-virus programs.
 
Then in to the windows console (Windows set up option) go to C:\Windows\System32, there modify the file by using the Attrib command, otherwise you won't be able to erase it, another way you could, is to change the name of the file.
Reboot your system and open reglite again, go back to the same key:
AppInit_DLLs,
Now delete the value.

That should do the trick      
0
 
LVL 16

Expert Comment

by:Sohel Rana
Comment Utility
Hi:

Here is the solution, I think :

http://www.spywareinfo.com/forums/index.php?showtopic=43492

rsdn
0
 

Author Comment

by:bshort1023
Comment Utility
Thanks for the reglite rsdn and dcobian.  Unfortunately I already wiped the PC that was infected so I have no way to test.  I had another PC with similar (not exact) issues and I ran reglite.  Under AppInit_dlls is NVDESK32.dll.  This appears to be from NVIDIA which is the video card he has.  I shouldn't delete that should I?  What exactly gets put into AppInit_dlls?

-B
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
What is the status of this question, as it has been ages since the last post? If you have any questions on how to properly close a question, assistance can be found at http://www.experts-exchange.com/help.jsp#hs5
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: dcobian{http:#10980022}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer


0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
as the user posted that they wiped their PC clean and had no way to test any further recommendations, it is my belief that this post should be Close/Refunded instead of awarding points...
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now