« About: Blank - Source of Funding | Main | Natwest Scam »
November 16, 2004
About: Blank
Has your homepage involuntarily been changed to About: Blank?
Have you become inundated with Popup Advertisements recently?
If so you better continue reading.
First off, lets not confuse the setting of a blank page which will show up on your machine as About: Blank. If that is what happened, it is not a problem the fix is simple (just go to Tools on the IE browser menu, then clcik internet options, and you can change your homepage from there). If that fixed the problem don't bother reading the rest of this.
If that did not work. You have been Hijacked by About: Blank. And you have a serious problem concerning the security of your machine. The authors of the program now have the ability to install more software in your machine, track what you do online (they can even see if you are reading this page) they can also steal your credit card or banking information.
I am going to cover the rest of this in FAQ format to address all of the issues concerning this.
How did this happen to me?
Most likely, you were infected by visiting a webpage. There are certain security holes in Internet Explorer such as DSO Exploit which has been fixed but if you don't update your patches it can still get through. It is also possible that you voluntarily downloaded something which installed this with it.
How do I remove this thing?
First you have to figure out what variant of it you have. There are at least 5 variants of About: Blank and new ones being developed even as you read this. The well known free Spyware and Adware removal programs do not remove this problem. About: Blank is difficult to remove because among other reasons it generates random filenames for itself. SpyHunter is a free program that will detect and show you how to remove known variants of the program. You can download the free Scanner by clicking here. The free version of SpyHunter will show you exactly where About: Blank is and you can remove it manually. The paid version provides automatic removal of About: Blank along with about 600 other nasty programs. SpyHunter is fully supported, so if you have any difficulty there is someone on the other end that will help you fix your problem.
How do I prevent this from happening again?
There are several programs out there that prevent against browser hijacking. What they do is tighten up security on your machine when you land on a site that is known to conduct malicious activities. The problem with this type of program is that none of them have a complete list of every bad site on the web. And the people that write these horrible programs are always moving their stuff around.
There is one program which is totally free called Adorons Easy Security. This software will restrict every site on the web unless you specifically tell it to trust it. It is very easy to use has the most effective popup blocker I have ever seen. You can get it by clicking here.
Is this common?
Based on a few things that we track About: Blank is now one of the 2 largest problems with browser hi-jacking on the web, and is the most difficult to remove.
Who put this thing in my machine?
About: Blank is part of CoolWebSearch ("CWS"). Nobody really knows who CWS is only that there is a large group of people involved and they originate from Russia.
I am mad, what can I do to get at this company?
The people responsible for doing this to your machine are very difficult to get at, however we are working on a comprehensive document of their source of funding. If you interested in helping us find this company please post a comment on the Source of Funding Page
First sighted: March 2004
Symptoms: Internet Explorer homepages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart
Removal difficulty: Involves some Registry editing and deleting a randomly named file
Identifying lines in Support log:
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,SearchURL = http://about-blank.ws/page/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://about-blank.ws/page/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://about-blank.ws/page/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM..Run: [Network Service] C:WINNTsvchost.exe-sr -0
O4 - HKCU..Run: [Network Service] C:WINNTsvchost.exe-sr -0
O19 - User stylesheet: C:WINNTsystem32xea2108l.9zt
This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.
Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.
Posted by Tuck at November 16, 2004 03:28 PM