IE redirect to About:Blank

Hi expert,
I face a a very headache stuff with my I.E.......I set my IE home to www.yahoo.com but after I click on the IE browser it redirect me to about:blank and some pop up like your PC got adware or something like this.......not only that under IE properties the Home also change to about:blank

I use spy sweeper(with the latest adware defination), hijackthis, ad-aware and bra bra to scan the PC but still not able to solve this. I also go to regedit to seach registry for any value related to about:blank and delete it but still can't work.

Any Idea please?????
gx888Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LucFEMEA Server EngineerCommented:
Hi gx888,

You've probably got some problems with a version of the CWS trojan.
First try the tool from Merijn: CoolWebShredder => http://www.spychecker.com/program/coolwebshredder.html 
If it doesn't work, try about:buster => http://downloads.subratam.org/AboutBuster.zip 
Unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log.
Post that log along with a Hijack this log here. http://aumha.org/downloads/hijackthis.exe 

Greetings,

LucF
0
peppmCommented:
0
gx888Author Commented:
OK...Thnaks for the reply....I will back after I fix it.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

gx888Author Commented:
Feedback,
I follow the link you provide for the removal instruction but I got some doubt about it.....
I goto HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and I double click on Applnit_DLLs but I don't see anything????Value data for Applnit_DLLs was nothing....empty???How I know which one is the hidden file that I need to find out and delete it???

Reglite.exe is different with regedit.exe????

Let me one more try.....will be back later


0
LucFEMEA Server EngineerCommented:
gx888,

There are several versions of the About:Blank hijacker, and they can't be solved the same way for all. Just to make sure what version we're talking about, I suggest you to post a hijackthis logfile for us to look at.

LucF
0
gx888Author Commented:
Oh...I see.....I will paste the hijackthis log file here later but I already use the hijackthis to scan the PC and already delete some file over there.

I found that alot of my company PC effect by this.....See you tomorrow...I will be back...

Thanks so much for the reply...
0
gx888Author Commented:
OK....this is the Log file

Logfile of HijackThis v1.97.7
Scan saved at 9:11:34 AM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Documents and Settings\process\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 143.116.220.230:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D04BF08-1547-4817-B849-94753158C0BC}: NameServer = 143.116.220.240,143.116.117.252


After hijackthis scan the PC I got this message:
For some reason you system denied to write access to the host file
If any hijacked domain are in this file , Hijackthis may not able to fix this

As I still remember I already delete this line yesterday ( R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank)  but today when I scan this PC again I saw this line.
0
LucFEMEA Server EngineerCommented:
Tick the checkbox in front of the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll

Afterwards, click "fix checked"
Reboot the computer and delete :\WINNT\system32\mnm.dll and C:\DOCUME~1\process\LOCALS~1\Temp\sp.html

I'm wondering about those Proxy settings, who's are those? Do you recognize them?

LucF

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.