Solved

IE redirect to About:Blank

Posted on 2004-07-30
8
1,643 Views
Last Modified: 2012-05-05
Hi expert,
I face a a very headache stuff with my I.E.......I set my IE home to www.yahoo.com but after I click on the IE browser it redirect me to about:blank and some pop up like your PC got adware or something like this.......not only that under IE properties the Home also change to about:blank

I use spy sweeper(with the latest adware defination), hijackthis, ad-aware and bra bra to scan the PC but still not able to solve this. I also go to regedit to seach registry for any value related to about:blank and delete it but still can't work.

Any Idea please?????
0
Comment
Question by:gx888
  • 4
  • 3
8 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11675971
Hi gx888,

You've probably got some problems with a version of the CWS trojan.
First try the tool from Merijn: CoolWebShredder => http://www.spychecker.com/program/coolwebshredder.html 
If it doesn't work, try about:buster => http://downloads.subratam.org/AboutBuster.zip 
Unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log.
Post that log along with a Hijack this log here. http://aumha.org/downloads/hijackthis.exe 

Greetings,

LucF
0
 
LVL 1

Expert Comment

by:peppm
ID: 11676859
0
 

Author Comment

by:gx888
ID: 11690145
OK...Thnaks for the reply....I will back after I fix it.
0
 

Author Comment

by:gx888
ID: 11691206
Feedback,
I follow the link you provide for the removal instruction but I got some doubt about it.....
I goto HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and I double click on Applnit_DLLs but I don't see anything????Value data for Applnit_DLLs was nothing....empty???How I know which one is the hidden file that I need to find out and delete it???

Reglite.exe is different with regedit.exe????

Let me one more try.....will be back later


0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 32

Expert Comment

by:Luc Franken
ID: 11691220
gx888,

There are several versions of the About:Blank hijacker, and they can't be solved the same way for all. Just to make sure what version we're talking about, I suggest you to post a hijackthis logfile for us to look at.

LucF
0
 

Author Comment

by:gx888
ID: 11692221
Oh...I see.....I will paste the hijackthis log file here later but I already use the hijackthis to scan the PC and already delete some file over there.

I found that alot of my company PC effect by this.....See you tomorrow...I will be back...

Thanks so much for the reply...
0
 

Author Comment

by:gx888
ID: 11699963
OK....this is the Log file

Logfile of HijackThis v1.97.7
Scan saved at 9:11:34 AM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Documents and Settings\process\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 143.116.220.230:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D04BF08-1547-4817-B849-94753158C0BC}: NameServer = 143.116.220.240,143.116.117.252


After hijackthis scan the PC I got this message:
For some reason you system denied to write access to the host file
If any hijacked domain are in this file , Hijackthis may not able to fix this

As I still remember I already delete this line yesterday ( R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank)  but today when I scan this PC again I saw this line.
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 250 total points
ID: 11701146
Tick the checkbox in front of the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll

Afterwards, click "fix checked"
Reboot the computer and delete :\WINNT\system32\mnm.dll and C:\DOCUME~1\process\LOCALS~1\Temp\sp.html

I'm wondering about those Proxy settings, who's are those? Do you recognize them?

LucF

0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate DHCP from server 2000 to 2008 1 623
Outlook 2013 Certicate error 1 286
Windows 7 7 258
Restoring a deleted user from Windows 2000?! 2 144
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now