Date: 19 Dec 2004 20:27:29 -0800
My Internet explorer was recently 'infected' with spyware that turned
my homepage to "About:blank". I tried the usual spyware removal tools
Today I finally got rid of it, so I'd like to share what I know about
it (I did not keep track of all that I did, but I hope this brief
summary may help anyone with the same infection):
- Everything starts with an unauthorized installation of an Internet
Explorer toolbar or BHO (Browser Helper Object). After it was installed
I went to add/remove programs and uninstalled it. However, although the
toolbar disappeared, the BHO entry in the registry remained and some
exes and dlls.
- This spyware has two exe files (c:\winnt\system32\ntmw.exe and
c:\winnt\system\winen32.exe). They are added to the
RunOnce registry keys respectively. These exes apparently create dlls
with random names in C:\winnt (a new one is created when you get rid of
the 'current'). The 'current' dll is the BHO that creates the
Internet explorer registry entries for the homepage, searchpage and
others (in HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main). You will find the name of the current dll using
hijackThis or using Regedit and going the Internet Explorer/Main key.
The dll entries in the registry are of the form
res://c:\winnt\xxxxx.dll/sp.html#28129 (where xxxxx.dll is the name of
- The dlls appear to be COM objects (but not all the normal COM
registry keys are present, they can be unregistered with regsvr32 -u
), are hidden and the 'modified date' seems to be random. They are 55
kB in size.
- I used three tools from sysinternals.com to track and remove this:
pslist, pskill and regmon. Regmon keeps track of programs that access
the registry. If you track the Internet Explorer homepage key it seems
that Iexplore.exe is setting it to about:blank. The key to finding the
exes was to track a key in the registry that was next to the
InprocServer key for the dll called Data/MD (sorry I did not copy the
- To remove the spyware started Internet explorer, removed the entries
for the dll in the registry, killed the ntmw and then winen32
processes, deleted the exes and then removed the two entries for the
exes in the registry.
Two sites that are linked in the About:Blank page are
I hope this helps.