Solved

IE redirect to About:Blank

Posted on 2004-07-30
8
1,663 Views
Last Modified: 2012-05-05
Hi expert,
I face a a very headache stuff with my I.E.......I set my IE home to www.yahoo.com but after I click on the IE browser it redirect me to about:blank and some pop up like your PC got adware or something like this.......not only that under IE properties the Home also change to about:blank

I use spy sweeper(with the latest adware defination), hijackthis, ad-aware and bra bra to scan the PC but still not able to solve this. I also go to regedit to seach registry for any value related to about:blank and delete it but still can't work.

Any Idea please?????
0
Comment
Question by:gx888
  • 4
  • 3
8 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 11675971
Hi gx888,

You've probably got some problems with a version of the CWS trojan.
First try the tool from Merijn: CoolWebShredder => http://www.spychecker.com/program/coolwebshredder.html 
If it doesn't work, try about:buster => http://downloads.subratam.org/AboutBuster.zip 
Unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log.
Post that log along with a Hijack this log here. http://aumha.org/downloads/hijackthis.exe 

Greetings,

LucF
0
 
LVL 1

Expert Comment

by:peppm
ID: 11676859
0
 

Author Comment

by:gx888
ID: 11690145
OK...Thnaks for the reply....I will back after I fix it.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:gx888
ID: 11691206
Feedback,
I follow the link you provide for the removal instruction but I got some doubt about it.....
I goto HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and I double click on Applnit_DLLs but I don't see anything????Value data for Applnit_DLLs was nothing....empty???How I know which one is the hidden file that I need to find out and delete it???

Reglite.exe is different with regedit.exe????

Let me one more try.....will be back later


0
 
LVL 32

Expert Comment

by:LucF
ID: 11691220
gx888,

There are several versions of the About:Blank hijacker, and they can't be solved the same way for all. Just to make sure what version we're talking about, I suggest you to post a hijackthis logfile for us to look at.

LucF
0
 

Author Comment

by:gx888
ID: 11692221
Oh...I see.....I will paste the hijackthis log file here later but I already use the hijackthis to scan the PC and already delete some file over there.

I found that alot of my company PC effect by this.....See you tomorrow...I will be back...

Thanks so much for the reply...
0
 

Author Comment

by:gx888
ID: 11699963
OK....this is the Log file

Logfile of HijackThis v1.97.7
Scan saved at 9:11:34 AM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Documents and Settings\process\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 143.116.220.230:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D04BF08-1547-4817-B849-94753158C0BC}: NameServer = 143.116.220.240,143.116.117.252


After hijackthis scan the PC I got this message:
For some reason you system denied to write access to the host file
If any hijacked domain are in this file , Hijackthis may not able to fix this

As I still remember I already delete this line yesterday ( R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank)  but today when I scan this PC again I saw this line.
0
 
LVL 32

Accepted Solution

by:
LucF earned 250 total points
ID: 11701146
Tick the checkbox in front of the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\process\LOCALS~1\Temp\sp.html
O2 - BHO: (no name) - {35A0EC10-659D-47CF-BDA3-65D42989B130} - C:\WINNT\system32\mnm.dll

Afterwards, click "fix checked"
Reboot the computer and delete :\WINNT\system32\mnm.dll and C:\DOCUME~1\process\LOCALS~1\Temp\sp.html

I'm wondering about those Proxy settings, who's are those? Do you recognize them?

LucF

0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
While it may be true that the internet is a place of possibilities, it is also a hostile environment lurking with many dangers. By clicking on the wrong link, trusting the wrong person or using a weak password, you are virtually inviting hackers to …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question