If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Window XP: How to eliminate the "about:blank" homepage
try toolbarcop (i think thats the name) to remove unwanted
browser extensions. disable third party browser extensions while you work as well. see if this helps? -----Original Message----- Hi, Like other people posted, I also faced the same problem that everytime I started my IE browser, it was redirected to the "about:blank" homepage. I have tried VirusScan On-Demand Scan, which did not detect anything wrong, with the "about:blank" homepage still there. I also have tried StartPage Guard... it worked well before until the "about:blank" homepage started to appear in my computer. I aslo have tried Ad-Adware 6.0. It detects the following three: 1) Vendor: CoolWEbSearch Type: RegValue Category: Malware Object: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer Main\ Comment: "HOMEOldSP" 2) Vendor: CoolWebSearch Type: RegKey Category: Malware Object: HKEY_CLASSES_ROOT:PROTOCOLS\Filter\text/html\ 3) Vendor: CoolWebSearch Type: RegKey Category: Malware Object: HKEY_CLASSES_ROOT:PROTOCOLS\Filter\text/plain\ So I removed the above three items. But when I started my IE browser again, the "about:blank" homepage appeared again. The same three items were detected by Ad-Aware 6.0 again. Spybot-S&D (advanced mode) did not detect anything wrong, with the "about:blank" homepage still there. CWShredder v 1.56.0 reported the followings after scan: Windows XP (5.01.2600 ) Windows dir: E:\WINDOWS Windows system dir: E:\WINDOWS\system32 AppData folder: E:\Documents and Settings\John\Application Data Username: John Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Main,Search Page Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKLM\Software\Microsoft\Internet Explorer\Main,Search Page Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/ {SUB_RFC1766}/srchasst/srchasst.htm Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Found Hosts file: E:\WINDOWS\system32\drivers\etc\hosts (734 bytes, R) Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe UserInit Registry value: HKLM\..\WinLogon [UserInit] E:\WINDOWS\system32\userinit.exe, CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com[*] dword:4 CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com[*] dword:4 CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com[*] dword:4 CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com[*] dword:4 Registry value: WWW Prefix (should be http://) [www] http:// Registry value: Mosaic Prefix (should be http://) [mosaic] http:// Registry value: Home Prefix (should be http://) [home] http:// Found Win.ini file: E:\WINDOWS\win.ini (615 bytes, A) Found System.ini file: E:\WINDOWS\system.ini (227 bytes, A) When I ran the software CWShredder v 1.56.0 to remove them, the following 6 infected IE registry values were removed: Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Main,Search Page Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKLM\Software\Microsoft\Internet Explorer\Main,Search Page Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) Infected Registry value: HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/ {SUB_RFC1766}/srchasst/srchasst.htm But when I started IE browser again, the "about:blank" homepage still appeared and same items were re-detected by CWShredder v 1.56.0. HijactThis v1.97.7 reported the followings after scan: Logfile of HijackThis v1.97.7 Scan saved at 12:28:41 PM, on 4/7/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Network Associates\Common Framework\FrameworkService.exe E:\Program Files\Network Associates\VirusScan\mcshield.exe E:\Program Files\Network Associates\VirusScan\vstskmgr.exe E:\WINDOWS\System32\nvsvc32.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe E:\Program Files\Winamp\winampa.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\QuickTime\qttask.exe E:\WINDOWS\System32\P2P Networking\P2P Networking.exe E:\Program Files\Messenger\msmsgs.exe E:\Program Files\AIM\aim.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe E:\WINDOWS\System32\wuauclt.exe E:\Program Files\Internet Explorer\IEXPLORE.EXE E:\My Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0 \Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {833B2A57-605F-4F8E-8BDF- 88657B3EB17E} - E:\WINDOWS\System32\ehmh.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333- CF10577473F7} - e:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E- 00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18- 009027A5CD4F} - e:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32 \NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [zSPGuard] e:\program files\pjw\spguard\spguard.exe /s /r O4 - HKLM\..\Run: [P2P Networking] E:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe - cnetwait.odl O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O13 - DefaultPrefix: O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/.../qtinstall.inf o.apple.com/mickey/us/win/QuickTimeInstaller.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...6/unicode/iuct l.CAB?38083.4370601852 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...e/cabs/flash/s wflash.cab I did not try to fix anything there because the scan may contain false-positives. That's so far I have tried to do with no avail. Any suggestions? Thank you again taking time to go over everything. Thank you, -John . |
Ads |
Thread Tools | |
Display Modes | |
|
|