A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Window XP: How to eliminate the "about:blank" homepage



 
 
Thread Tools Display Modes
  #1  
Old April 7th 04, 10:19 PM
external usenet poster
 
Posts: n/a
Default Window XP: How to eliminate the "about:blank" homepage

try toolbarcop (i think thats the name) to remove unwanted
browser extensions. disable third party browser extensions
while you work as well. see if this helps?

-----Original Message-----
Hi,

Like other people posted, I also faced the same problem

that everytime
I started my IE browser, it was redirected to

the "about:blank"
homepage.

I have tried VirusScan On-Demand Scan, which did not

detect anything
wrong, with the "about:blank" homepage still there.

I also have tried StartPage Guard... it worked well

before until the
"about:blank" homepage started to appear in my computer.

I aslo have tried Ad-Adware 6.0. It detects the

following three:
1) Vendor: CoolWEbSearch
Type: RegValue
Category: Malware
Object: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet

Explorer Main\
Comment: "HOMEOldSP"
2) Vendor: CoolWebSearch
Type: RegKey
Category: Malware
Object: HKEY_CLASSES_ROOT:PROTOCOLS\Filter\text/html\
3) Vendor: CoolWebSearch
Type: RegKey
Category: Malware
Object: HKEY_CLASSES_ROOT:PROTOCOLS\Filter\text/plain\

So I removed the above three items. But when I started

my IE browser
again, the "about:blank" homepage appeared again. The

same three
items were detected by Ad-Aware 6.0 again.

Spybot-S&D (advanced mode) did not detect anything wrong,

with the
"about:blank" homepage still there.

CWShredder v 1.56.0 reported the followings after scan:
Windows XP (5.01.2600 )
Windows dir: E:\WINDOWS
Windows system dir: E:\WINDOWS\system32
AppData folder: E:\Documents and

Settings\John\Application Data
Username: John

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant,http://ie.search.msn.com/

{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Found Hosts file: E:\WINDOWS\system32\drivers\etc\hosts

(734 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell]

Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit]
E:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains:
*.coolwebsearch.com[*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains:
*.coolwwwsearch.com[*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains:
*.xxxtoolbar.com[*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains:
*.teensguru.com[*] dword:4
Registry value: WWW Prefix (should be http://) [www]

http://
Registry value: Mosaic Prefix (should be http://)

[mosaic] http://
Registry value: Home Prefix (should be http://) [home]

http://
Found Win.ini file: E:\WINDOWS\win.ini (615 bytes, A)
Found System.ini file: E:\WINDOWS\system.ini (227 bytes,

A)

When I ran the software CWShredder v 1.56.0 to remove

them, the
following 6 infected IE registry values were removed:
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html

(obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant,http://ie.search.msn.com/

{SUB_RFC1766}/srchasst/srchasst.htm

But when I started IE browser again, the "about:blank"

homepage still
appeared and same items were re-detected by CWShredder v

1.56.0.

HijactThis v1.97.7 reported the followings after scan:
Logfile of HijackThis v1.97.7
Scan saved at 12:28:41 PM, on 4/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\mcshield.exe
E:\Program Files\Network Associates\VirusScan\vstskmgr.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
E:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\System32\P2P Networking\P2P Networking.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant
= res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant
= res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local

Page =
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,HomeOldSP =
about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} -
E:\Program Files\Adobe\Acrobat 6.0

\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {833B2A57-605F-4F8E-8BDF-

88657B3EB17E} -
E:\WINDOWS\System32\ehmh.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-

CF10577473F7} -
e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-

00A0C9082467} -
E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-

009027A5CD4F} -
e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program

Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program

Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] e:\program

files\pjw\spguard\spguard.exe
/s /r
O4 - HKLM\..\Run: [P2P Networking] E:\WINDOWS\System32\P2P
Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MSMSGS] "E:\Program

Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -

cnetwait.odl
O4 - Global Startup: InterVideo WinCinema Manager.lnk =

E:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program

Files\Microsoft
Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel
present
O8 - Extra context menu item: &Google Search -

res://e:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -

res://e:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://e:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -

res://e:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://e:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O13 - DefaultPrefix:
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web

P2P Installer)
-
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/.../qtinstall.inf

o.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update

Class) -
http://v4.windowsupdate.microsoft.co...6/unicode/iuct

l.CAB?38083.4370601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash
Object) -

http://fpdownload.macromedia.com/pub...e/cabs/flash/s
wflash.cab

I did not try to fix anything there because the scan may

contain
false-positives.

That's so far I have tried to do with no avail. Any

suggestions?

Thank you again taking time to go over everything.

Thank you,
-John
.

Ads
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 12:49 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.