Hi,
I came across your discussion on "about:blank" homepage problem on
Deja's Usenet Archive. I was hoping maybe you can help me to
eliminate it. I would personally appreciate and thank you for taking
time going over the email.
Like other people, I also faced the same problem that everytime I
started my IE browser, it was redirected to the "about:blank"
homepage.
I have tried VirusScan On-Demand Scan, which did not detect anything
wrong, with the "about:blank" homepage still there.
I also have tried StartPage Guard... it worked well before until the
"about:blank" homepage started to appear in my computer.
I aslo have tried Ad-Adware 6.0. It detects the following three:
1) Vendor: CoolWEbSearch
Type: RegValue
Category: Malware
Object: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Internet Explorer Main\
Comment: "HOMEOldSP"
2) Vendor: CoolWebSearch
Type: RegKey
Category: Malware
Object: HKEY_CLASSES_ROOT
ROTOCOLS\Filter\text/html\
3) Vendor: CoolWebSearch
Type: RegKey
Category: Malware
Object: HKEY_CLASSES_ROOT
ROTOCOLS\Filter\text/plain\
So I removed the above three items. But when I started my IE browser
again, the "about:blank" homepage appeared again. The same three
items were detected by Ad-Aware 6.0 again.
Spybot-S&D (advanced mode) did not detect anything wrong, with the
"about:blank" homepage still there.
CWShredder v 1.56.0 reported the followings after scan:
Windows XP (5.01.2600 )
Windows dir: E:\WINDOWS
Windows system dir: E:\WINDOWS\system32
AppData folder: E:\Documents and Settings\John\Application Data
Username: John
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant,
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Found Hosts file: E:\WINDOWS\system32\drivers\etc\hosts (734 bytes, R)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit]
E:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains:
*.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains:
*.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains:
*.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains:
*.teensguru.com [*] dword:4
Registry value: WWW Prefix (should be
http://) [www] http://
Registry value: Mosaic Prefix (should be
http://) [mosaic] http://
Registry value: Home Prefix (should be
http://) [home] http://
Found Win.ini file: E:\WINDOWS\win.ini (615 bytes, A)
Found System.ini file: E:\WINDOWS\system.ini (227 bytes, A)
When I ran the software CWShredder v 1.56.0 to remove them, the
following 6 infected IE registry values were removed:
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant,
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
But when I started IE browser again, the "about:blank" homepage still
appeared and same items were re-detected by CWShredder v 1.56.0.
HijactThis v1.97.7 reported the followings after scan:
Logfile of HijackThis v1.97.7
Scan saved at 12:28:41 PM, on 4/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\mcshield.exe
E:\Program Files\Network Associates\VirusScan\vstskmgr.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\System32\P2P Networking\P2P Networking.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\My Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://E:\WINDOWS\System32\ehmh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {833B2A57-605F-4F8E-8BDF-88657B3EB17E} -
E:\WINDOWS\System32\ehmh.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "E:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zSPGuard] e:\program files\pjw\spguard\spguard.exe
/s /r
O4 - HKLM\..\Run: [P2P Networking] E:\WINDOWS\System32\P2P
Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft
Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: &Google Search - res://e:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O13 - DefaultPrefix:
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)
-
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38083.4370601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
I did not try to fix anything there because the scan may contain
false-positives.
That's so far I have tried to do with no avail. Any suggestions?
Thank you again taking time to go over everything.
Thank you,
-John