Solved

IE redirect to About:Blank

Posted on 2004-07-30
8
1,680 Views
Last Modified: 2012-05-05
Hi expert,
I face a a very headache stuff with my I.E.......I set my IE home to www.yahoo.com but after I click on the IE browser it redirect me to about:blank and some pop up like your PC got adware or something like this.......not only that under IE properties the Home also change to about:blank

I use spy sweeper(with the latest adware defination), hijackthis, ad-aware and bra bra to scan the PC but still not able to solve this. I also go to regedit to seach registry for any value related to about:blank and delete it but still can't work.

Any Idea please?????
0
Comment
Question by:gx888
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 11675971
Hi gx888,

You've probably got some problems with a version of the CWS trojan.
First try the tool from Merijn: CoolWebShredder => http://www.spychecker.com/program/coolwebshredder.html 
If it doesn't work, try about:buster => http://downloads.subratam.org/AboutBuster.zip 
Unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log.
Post that log along with a Hijack this log here. http://aumha.org/downloads/hijackthis.exe 

Greetings,

LucF
0
 
LVL 1

Expert Comment

by:peppm
ID: 11676859
0
 

Author Comment

by:gx888
ID: 11690145
OK...Thnaks for the reply....I will back after I fix it.
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 

Author Comment

by:gx888
ID: 11691206
Feedback,
I follow the link you provide for the removal instruction but I got some doubt about it.....
I goto HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and I double click on Applnit_DLLs but I don't see anything????Value data for Applnit_DLLs was nothing....empty???How I know which one is the hidden file that I need to find out and delete it???

Reglite.exe is different with regedit.exe????

Let me one more try.....will be back later


0
 
LVL 32

Expert Comment

by:LucF
ID: 11691220
gx888,

There are several versions of the About:Blank hijacker, and they can't be solved the same way for all. Just to make sure what version we're talking about, I suggest you to post a hijackthis logfile for us to look at.

LucF
0
 

Author Comment

by:gx888
ID: 11692221
Oh...I see.....I will paste the hijackthis log file here later but I already use the hijackthis to scan the PC and already delete some file over there.

I found that alot of my company PC effect by this.....See you tomorrow...I will be back...

Thanks so much for the reply...
0
 

Author Comment

by:gx888
ID: 11699963
OK....this is the Log file

Logfile of HijackThis v1.97.7
Scan saved at 9:11:34 AM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Documents and Settings\process\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 143.116.220.230:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D04BF08-1547-4817-B849-94753158C0BC}: NameServer = 143.116.220.240,143.116.117.252


After hijackthis scan the PC I got this message:
For some reason you system denied to write access to the host file
If any hijacked domain are in this file , Hijackthis may not able to fix this

As I still remember I already delete this line yesterday ( R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank)  but today when I scan this PC again I saw this line.
0
 
LVL 32

Accepted Solution

by:
LucF earned 250 total points
ID: 11701146
Tick the checkbox in front of the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll

Afterwards, click "fix checked"
Reboot the computer and delete :\WINNT\system32\mnm.dll and C:\DOCUME~1\process\LOCALS~1\Temp\sp.html

I'm wondering about those Proxy settings, who's are those? Do you recognize them?

LucF

0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article outlines the struggles that Macs encounter in Windows-dominated workplace environments – and what Mac users can do to improve their network connectivity and remain productive.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question