about:blank browser 1

[tombrown13]

On a number of sites, I get a second browser window opened with "about:blank - Microsoft Inter...." as the title. I can close it, and it doesn't see to be causing any problems. It is more of an annoyance. Any ideas as to why it's coming up?

 

[itsgenekramer]

Not sure, but maybe those sites are working on creating pop-up's when you visit the site, but haven't completed the code yet?

 

[sunwindandsea]

It's very unlikey that visitng sites working on pop-up's is causing a second OE Window to be opened. What is more likely? You have Norton Internet Security or some security software that prevents pop-ups from appearing that is not set correctly or is not working properly.

Another possibility is that some spyware has been installed without you knowledge or permission and is causing the problem. Let me know of you are running a client security application with ad blocking and/or spyware prevention software and I'll try to help you,

Ed

 

[bcastner]

There is a new hijack that does take over about:blank. There was a new version of CWShredder released last week that hopefully can deal with this. Please download but don't run yet the latest version of CWShredder and Hijack This from here:

http://www.spywareinfo.com/~merijn/downloads.html

Next, please move Hijack This into a folder of its own as otherwise it will clutter up your desktop with its backups.

Reboot to Safe Mode. Once there, run CWShredder (click the "Fix" button when you run it).

While still in Safe Mode, with all other windows closed, scan with Hijack This, put checks next to all the entries I list below that remain (note that it's possible the DLL name may change, if it does, check the new entries) and then click "Fix Checked". Reboot, scan again with Hijack This and post a new log here.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\khe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\khe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\khe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\khe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\khe.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\khe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {3F8567B5-13C2-49DB-ABB2-B70A2DD94426} - C:\WINDOWS\System32\khe.dll
--
Source: Zupe, broadbandreports.com - Security forum

 

[tombrown13]

I am 0 for 3 on this one. I ran both utilities and didn't come up with anything. I will attach the hijack log at the end of this reply. I do have the users machine and have found out the following:
1-this only happens when you log onto sites that have membership (ebay, wall street journal, ameritrade, etc)
2-the CPU usage pegs as long as the blank browser is open
3-in order to close the blank browser you need to end task
4-once closed, the blank browser does not come back until you reboot.

Let me know if you have any other ideas. Thanks so far for the help. Here is the hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 3:05:54 PM, on 4/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
D:\downloads\HijackThis.exe

O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - C:\Program Files\Open Site\opnste.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) -

http://www.armbender.com/UCSearch.CAB

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -

http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} -

http://69.56.176.227/webplugin.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38069.2702199074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[bcastner]

Your cookie settings are too high, you have to let those site pass a cookie.

 

[tombrown13]

Thanks for the idea but that's not it. his browser is set for medium and to accept 1st and 3rd party cookies. Also, that doesn't explain why you can end task on that window and never have it come up again the rest of the session.

Did anything in the hijack log help?

 

[bcastner]

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) -

http://www.armbender.com/UCSearch.CAB

See:

http://www.pestpatrol.com/PestInfo/u/ucsearch.asp

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

For this toolbar, if needed, you might apply:

http://support.microsoft.com/default.aspx?scid=kb;en-us;832353

 

[carrr]

You're a little OT for this forum, forum760 would be more appropriate for a log posting, but this entry:
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

is indicative of the IMISERV_A trojan:

http://www.trendmicro.com/vinfo/vir...irusencyclo/default5.asp?VName=TROJ_IMISERV.A

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[tombrown13]

Pest Patrol was the answer. Thanks for all of the help.

For my information, what does carrr mean by "OT for this forum"?

 

[carrr]

OT = Off topic.
Efforts are being made to corral hijack logs into forum760 and out of other forums, but no big deal.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[estradahe]

I myself am having this same issue -- I constantly keep getting the about:blank as homepage........How do I fix this issue ?

Thanks

 

[bcastner]

This is quite a tricky beast at the moment. See this discussion of removal:

http://www.broadbandreports.com/forum/remark,10000142~mode=flat

 

[estradahe]

I finally FIXED it GUYS !!!.......I THINK ALL I had to do was go into registery and delete all of the about:blank that it found.......and then I opened IE and went to View / Go To and it had ONE more about:blank there ---- I deleted it ( UNCHECKED IT ) and afterwards seems like that did the trick.......So with that being said --- I think that it was BECAUSE I did not go in there and unchecked that it just kept reverting to the page...but yo udefinately still have to delete whatever about:blank that it finds in the Registery....WHEW !!!! Glad that's over ....Thanks!!!!