How the 'About: Blank' Hijacker Affects Your Computer

First sighted: March 2004
Symptoms: Internet Explorer homepages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart

Removal difficulty: Involves some Registry editing and deleting a randomly named file

Identifying lines in Support log:

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,SearchURL = http://about-blank.ws/page/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://about-blank.ws/page/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://about-blank.ws/page/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM..Run: [Network Service] C:WINNTsvchost.exe-sr -0
O4 - HKCU..Run: [Network Service] C:WINNTsvchost.exe-sr -0
O19 - User stylesheet: C:WINNTsystem32xea2108l.9zt

This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.

Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.