One of my friend runs a Cyber Cafe and he has one problem. That his home page is changed and no matter if he sets it to blank again. On rebooting it reverts to that site. On some PCs the about blank page of IE has itself been changed.Anyone has got a solution for it....

tell your friend to download AdWare. That is probably what it is, some adware or malware.

I would say though, what is his default?

Try running spy bot search and destroy, adaware and then hijackthis if the first two don't fix it , a google search or a search on this site will find the urls and much more info about browser hijacking and how to fix and prevent such things from happening.

Maybe he could use a different browser then EI.

(yust a thought)

Just another thought,

When he gets spybot Search & destroy, also get CWShredder. This is a complimentary bit of software that specifically targets Cool Web Search scumware that the regular SpyBot and AdAware might miss. You need to update it every time as it is constantly being updated.

In spybot (advanced mode) run the "immunization" option and check the three little boxes at the bottom.

BEWARE:

AdAware will report two of these protections as malware, this is NOT correct, so don't let AdAware delete them....................it is a known "false positive" between the two products.

Good luck :)

From http://www.spywareinfo.com/~merijn/cwschronicles.html

CWS.Xmlmimefilter
Variant 34: CWS.Xmlmimefilter - About:blank hacked v2.0
Approx date first sighted: February 29, 2004
Log reference: http://computercops.biz/postt21263.html
Symptoms: IE homepage changed to about:blank, which is changed to a search engine named 'Microsoft Search the Web', mistyped URLs being redirected to this same search engine
Cleverness: 10/10
Manual removal difficulty: Involves quite some Registry editing
Identifying lines in HijackThis log:

O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\msxmlpp.dll


Though the hijacking of the about:blank page was also done by the CWS.Winres variant, this new variant accomplishes it in a much more elegant way. The DLL itself used for handling the 'about:' protocol is changed to a malicious msxmlpp.dll one, displaying a search engine instead of a blank page filled with links to 66.117.38.91.
Changing the CLSID of the about protocol back to the default {3050F406-98B5-11CF-BB82-00AA00BDCE0B}, deleting the file and removing the hosts file hijack fixes this.

Easiest way to clean it up is to d/l the CWShredder from http://www.spywareinfo.com/~merijn/downloads.html and run it in safe mode.

Thanks for the link.................couldn't find it on this box

AdAware and SpyBot Search & Destroy should also be run in safe mode........I forgot to mention that.

Your friend needs to run ALL three suggested items, as I am willing to bet that he has more than CWS :eek:

I just fixed a PC at a local hotel...............bagged 106 of the little vermin!

The problem with a cyber cafe is the users don't care about the equipment and will click on anything, and say "OK" to anything :(

I would recommend that you advise your friend to get into a routine of updating and running the three items, at least once a week.

Cheers

Also never hurts to have a little AV protection ;). I also have a question for you nihil, why should I run spybot S & D in safe mode???
Thanks in advance.

Hello, The Duck

I recommend running AV, SpyBot, AdAware and the Shredder in safe mode because some malware (general term I use for all virus/worm/trojan/spy/ad stuff) is actually capable of "defending itself" and will interfere with the running of security programs.

If you boot into safe mode, you load minimal services, drivers etc, so there is a good chance that the bad stuff won't get loaded.

Also, your security software might have difficulty in repairing or deleting things that are actually running, so you have a better chance of killing them in "safe"

And, as you are not running so much, the whole process will go quicker.

/off topic

Defragmentation is better run in safe mode, as files that have been locked by normally running processes/services will also get defragmented. A good example would be your anti-virus pattern/signature file?

/back

Hope that helps

Thanks alot for the info and the advice. I generally give people advice when it comes to defending against "malware" and I have heard that it is better when running the defense programs in safe mode but I never knew why. Now I know, Thanks.

I'm also facing the same problem when I use IE, even I delete all the related string in Registry, but it will came back again when I restart my pc.... at last, im using Opera as my web browser... This web site which is always on my IE "http://hot-searches.com/index.php?v=6&aff=2981924"

you need to un-install the Cyber Cafe then re-install windows for each PC, and use DeepFreez for your Cafe PCs.

Hi John,

1. Start SpyBot in "advanced " mode and go to the "tools" option........take a look at what is in all those add ons like BHOs (browser helper objects)

2. Try http://www.winpatrol.com

Look at IE helpers, startup etc............it has the facility to suspend processes from staring............I have used this to keep the thing quiet whilst I killed it :)

3. Make sure that you update SpyBot, CWShredder, AdAware and your AV then run them in SAFE MODE

Remember, some of this crap can defend itself?

Cheers