Solved

IE redirect to About:Blank

Posted on 2004-07-30
8
1,632 Views
Last Modified: 2012-05-05
Hi expert,
I face a a very headache stuff with my I.E.......I set my IE home to www.yahoo.com but after I click on the IE browser it redirect me to about:blank and some pop up like your PC got adware or something like this.......not only that under IE properties the Home also change to about:blank

I use spy sweeper(with the latest adware defination), hijackthis, ad-aware and bra bra to scan the PC but still not able to solve this. I also go to regedit to seach registry for any value related to about:blank and delete it but still can't work.

Any Idea please?????
0
Comment
Question by:gx888
  • 4
  • 3
8 Comments
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi gx888,

You've probably got some problems with a version of the CWS trojan.
First try the tool from Merijn: CoolWebShredder => http://www.spychecker.com/program/coolwebshredder.html
If it doesn't work, try about:buster => http://downloads.subratam.org/AboutBuster.zip
Unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log.
Post that log along with a Hijack this log here. http://aumha.org/downloads/hijackthis.exe

Greetings,

LucF
0
 
LVL 1

Expert Comment

by:peppm
Comment Utility
0
 

Author Comment

by:gx888
Comment Utility
OK...Thnaks for the reply....I will back after I fix it.
0
 

Author Comment

by:gx888
Comment Utility
Feedback,
I follow the link you provide for the removal instruction but I got some doubt about it.....
I goto HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and I double click on Applnit_DLLs but I don't see anything????Value data for Applnit_DLLs was nothing....empty???How I know which one is the hidden file that I need to find out and delete it???

Reglite.exe is different with regedit.exe????

Let me one more try.....will be back later


0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
gx888,

There are several versions of the About:Blank hijacker, and they can't be solved the same way for all. Just to make sure what version we're talking about, I suggest you to post a hijackthis logfile for us to look at.

LucF
0
 

Author Comment

by:gx888
Comment Utility
Oh...I see.....I will paste the hijackthis log file here later but I already use the hijackthis to scan the PC and already delete some file over there.

I found that alot of my company PC effect by this.....See you tomorrow...I will be back...

Thanks so much for the reply...
0
 

Author Comment

by:gx888
Comment Utility
OK....this is the Log file

Logfile of HijackThis v1.97.7
Scan saved at 9:11:34 AM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Documents and Settings\process\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 143.116.220.230:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D04BF08-1547-4817-B849-94753158C0BC}: NameServer = 143.116.220.240,143.116.117.252


After hijackthis scan the PC I got this message:
For some reason you system denied to write access to the host file
If any hijacked domain are in this file , Hijackthis may not able to fix this

As I still remember I already delete this line yesterday ( R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank)  but today when I scan this PC again I saw this line.
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 250 total points
Comment Utility
Tick the checkbox in front of the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll

Afterwards, click "fix checked"
Reboot the computer and delete :\WINNT\system32\mnm.dll and C:\DOCUME~1\process\LOCALS~1\Temp\sp.html

I'm wondering about those Proxy settings, who's are those? Do you recognize them?

LucF

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now