About Blank - here is the story

[dennis5452]

I was called to my friends house to fix his computer. There are 3 users on this PC. Susan, Mark and Mike. Marks internet explorer start page was changed to About blank which in this case was a spyware page that stated the PC was infefected with 9 spyware files and to shell over $45.00 and it will fix them. Mark called me. I knew that spyware caused this, so I brought Spybot, Adware SE and Microsoft anti spyware. I disonnected the computer from the internet and scanned the computer 3 time with each program,
I would have done it more but the third scan with each program did not detect any spyware on the computer. However going to Marks internet properties has about blank in the start page window. I change it to somthing else and click apply and OK. I open it back up and it is about blank again. Mikes and Susans desktops were unaffected by the spyware their start-up pages were not altered. Anyway when you start Internet explorer on marks desktop it opens with about blank in the address field but does Not bring up anything. If you type an address the page is displayed normally and "favorites" work also, but only if you take out about blank first.

Finally the question.

Everything is running fine now but I have tried deleting cookies and files but I cannot get rid of about blank showing up as the start up page.
Thanks in advance

Dennis

 

[nessus]

There is a local system policy forcing the home page to about:blank.

Check the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies registry key looking for the value.

 

[Langford]

Maybe this will help, I don't know. That sounds like spysherrif to me. (Or whatever they changed thier name to this week)
I've seen it before, it is very persistent. It tries to convince you to buy some fake anti-spyware software, and keeps placing baloon tips in your system tray, right?
You will have to find a page with a removal script on it, and then you will have to run that script while in safe-mode. You may have to run it a few times, possibly with reboots in-between.

I did a quick google search, this may be the approipriate removal tool: http://www.spyware-removal-guideline.com/spysheriff-removal
Its the one calle smitrem.exe

 

[ThreeDee]

my friend just got infected with that spywarequake thing that stealth installs itself .. took a bit to get the punk out ..it was part of a zobot (sp?) trojan thingy do-dad-a-muh-bob




[F]old|[H]ard

 

[Phaedrus]

use word pad to open up c:\windows\system32\drivers\hosts
This is all that should be in the file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


delete anything else and save the file

 

[Donnelltech]

You may also want to run Hijack this and look for and delete any malicious entries in the list. As far as spyaxe/sheriff/etc goes, this works great:

http://noahdfear.geekstogo.com/click counter/click.php?id=1