I am having a serious browser hijack problem that I can't get rid of.
My IE start page is set (and continues to be reset) to about: Blank.

This is what I have done so far:
- Ran Spybot and Spysweeper in normal mode and safe mode and removed all incidents
- Installed Browser Hijack Blaster
- Ran Hijack This in normal mode and safe mode and fixed suspicious entries
- Ran RegCleaner in normal mode and safe mode and got rid of suspiscious entries.
- Ran CWShredder in normale mode and safe mode.

Nothing got rid of it and now my spyware programs prompt me every 5
sec. about allowing my start page to change.

How do I get rid of this particular problem?
Also, does anyone know how this spyware installs itself or if it is IE specific?

---

Clarification of Question by jimwest-ga on 19 Jul 2004 15:29 PDT

Sorry, I forgot to mention that I also deleted all the temp and
temporary internet files for all profiles in safe mode.

Hi jimwest,

I'm sorry to hear about your troubles, but hopefully, all will soon be
well. You'll find directions for removal at the following websites:

Removing about:blank Homepage Hijacker: 
Windows XP Home edition Service Pack 1 with Internet Explorer 6.0:
"Presented below are several tools and methods used to remove the
about:blank homepage hijacker."
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

Removing the «About:Blank» Virus from W2K:
http://www.akadia.com/services/about_blank_virus.html

>>>>>>

All about about:blank:
"We are pretty sure now CoolWebSearch is part of a new strain of
trojans that have recently been identified that all have one thing in
common: they install through the ByteVerify exploit in the MS Java VM
and change the IE homepage, search page, search bar, etc. Take a look
at this snippet from the description of the Java.Shinwow trojan:

This is a growing family of trojans that exploits the ByteCodeVerifier
vulnerability in the Microsoft Virtual Machine to execute unauthorized
code on an affected machine.
The variants of this trojan that we have seen in the wild have been
functionally diverse; the common factor amongst them has been the use
of the ByteVerify exploit to achieve their goals. Some variants may do
little more than change the user's default Internet Explorer home page
and/or search page via modifications to the registry.

We strongly recommend you install the patch, available from this MS
security bulletin. If you have Windows XP with Service Pack 1a, your
system has no MS Java VM. Information on removing the MS Java VM
completely and replacing it with the newer, safer Sun Java VM can be
found here."
http://homepage.ntlworld.com/dvk01uk/chronicles.htm#cwshredder

>>>>>>

Is about:blank IE specific?

Wilders Security Forums > Official DiamondCS Public Forums > Trojan
Defense Suite > About:Blank:
"As we all add detection we are not stopping the CAUSE of the problem,
having IE run in full standard install-whatever-you-want-website mode.
Stopping this should be what we tell users, if they have to format to
remove whatever "adware" they have on their machine they should write
to their leaders and demand action ;)
The latest versions don't apear to be IE specific that is the worry
now earlier versions attacked via then byte verifier bug in IE using
M$ Java VM only.
The latest versions attack & get in the system regardless of browser,
regardless of Java VM versions,
We see it in Netscape browsers, Opera, Mozilla in fact any browser is
affected, Even removing M$ java VM completely still lets it on so the
only common key is Windows and it attacks all versions, I know IE is
inbuilt to all op systems so it is still probably using something
within the IE structure, but it's getting much harder to fix
we haven't heard of it attacking Mac or Linux yet, but we probaly
wouldn't in these forums"
http://www.wilderssecurity.com/archive/index.php/t-30811

Good luck - I hope to hear good news from you soon! If you have any
questions, please post a clarification request before closing/rating
my answer and I'll be happy to reply.

Thank you,
hummer

Google Search Terms Used: about:blank

---

Request for Answer Clarification by jimwest-ga on 22 Jul 2004 13:18 PDT

Thanks for the answer. I tried to follow the instructions but am
confused now about going into the ...Windows NT\Current Version...
registry key. I am running Win XP. Should I still do that? I have
never really worked in the registry and want to make sure I am not
messing things up. Also, will there only be one particular file in
that location that I would have to rename?

---

Clarification of Answer by hummer-ga on 22 Jul 2004 14:27 PDT

Hi Jim, it's good to hear from you - I was wondering how you were making out.

Ok, are you following the XP directions?

Removing about:blank Homepage Hijacker: 
Windows XP Home edition Service Pack 1 with Internet Explorer 6.0:
"Presented below are several tools and methods used to remove the
about:blank homepage hijacker."
http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

First, do you have System Restore enabled? Make sure you have a recent
"snapshot" of you system.
http://www.theeldergeek.com/system_restore.htm

Backing Up and Restoring the Windows XP Registry:
"The last method of backing up the registry is using System Restore,
another utility that is included with Windows XP. System Restore is
best likened to a camera taking a complete snapshot of your computer
system at one point in time and storing that image in what is called a
restore point. This restore point can then be recalled at some point
in the future, effectively overwriting any changes that have been made
to the computer since the restore point was created."
http://www.theeldergeek.com/windows_xp_registry.htm

Ok, it's time to get to work! Just follow the directions, step-by-step:

1) Will find the name of the hidden file on your computer.
2) Will rename the file you just found.
3) Will delete the file you just renamed using Reglite.
4) Will delete the second file using HijackThis (and the other one too
if it's still there).

You'll be ok, just take your time. If you make a mistake, you'll have
your back-up all ready to go. We all have gone through the same
jitters the first few times of just going into the registry and
looking at it, let alone actually making changes in there. But you'll
feel like a million bucks when it's all over and all fixed!

Good luck - I'll be thinking about you all night so please let me know
how it goes as soon as possible.
hummer

Thanks for the great answer. I think this should do it!!!

Congratulations, Jim - I knew you could do it! Thank you for your
thank you and nice rating, but especially for letting me know that all
is well. Sincerely, hummer

Hi Hummer and others,

I've been fighting this about:blank problem for a while.  I followed
the instructions for the Windows XP SP1.  I was able to remove the
first hidden file after making it visible on the Windows Recovery
Console.  However, I had problems with the second .dll file.  For one
thing, in XP's log file, it doesn't even show a *.dll file.  Here is
the output when I ran HiJackThis.exe:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
file://D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= file://D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
file://D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= file://D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: URLSearchHook Class -
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - D:\Program
Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=d:\program files\comcast\security
manager\app\SecurityManager.exe


The sp.html contains the about:blank page but there is no *.dll file
in the path.  So I don't know what to remove: 
D:\DOCUME~1\ps\LOCALS~1\Temp\sp.html

I could remove the sp.html file but it re-appeared right away after I
re-started the IE.

If you have advice for me, I will really really appreciate it.

Thanks in advance,

Paul S

Szetop,

I am not sure about your particular problem, but I cam across the same
issue on another machine and couldn't get rid of it with the process
described here.
Check out my other post, maybe this program will be of help:
http://answers.google.com/answers/threadview?id=383004

Hi you guys,

Just something to be aware of:

TSG Forums > Internet & Networking  > Security
please read STAY CLEAR OF "Adware Away""
http://forums.techguy.org/t244075.html

Some tips:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm

Inside Spyware:
http://www.intranetjournal.com/spyware/

Spyware Removal Software:
http://www.intranetjournal.com/spyware/removal.html#scansoft

Spyware Prevention Software:
http://www.intranetjournal.com/spyware/preventsoft.html

hummer

http://www.safer-networking.org/en/download/index.html

Download "Spybot" from here for free.  This is all you need. Install
it and follow the directions.  You didn't need to spend all that money
to find this out.  Good Luck.

monsterr-ga,

In his question, the customer mentioned having already run Spybot and
several other spyware removers, to no avail.