• Welcome to RCTalk! 🚀

    Join the #1 RC community where hobbyists connect, share, and get expert advice on RC cars, trucks, boats, drones, and more!

    • Friendly & passionate RC enthusiasts
    • RC tips & troubleshooting
    • Buy, sell & trade RC gear
    • Share builds & upgrades

About: Blank........Browser Hijacked?

This site may earn a commission from merchant affiliate
links, including eBay, Amazon, and others.
Rolex

Rolex

Hoof Hearted
In Memoriam
Supporter
Military Veteran
Build Thread Contributor
Messages
35,104
Reaction score
1,854
Points
2,198
Location
In my recliner
RC Driving Style
  1. Bashing
  2. Flying
I downloaded and installed Mozilla about an hour ago, and set it as my default browser. I'm still trying to get some things set correctly.
In the past couple of weeks I've been trying to find out why my hi speed cable has been so dreadfully slow, and after installing 5 different programs to remove or block all kinds of threats and tracking cookies, nothing changed.
Last night I started wondering if my IE browser had been hijacked by "About: blank" since that's what it says in the address bar. That's been there since day one, when I chose a blank IE page to open.
Last night, while checking numerous sites, I found out about this About: Blank browser hijacker, that once it's there, even if you protect the computer, it causes everything to slow down.
Does anyone have any info on this, or know how I can remove it if that's the problem?
 
A good firewall with a pop-up blocker. I personally use Zonealarm. Also using a spyware remover like Lavasoft's Ad-Aware SE will help disable other items that have imbedded themselves into your computer.
 
I've always run Norton System Works, but I've now added SpyBot Search and Destroy, Spyware Doctor, Ad-Aware SE, Spyware Blaster, and now have Mozilla as my default browser.
So far, so good. This site is behaving much better, so far. I'm still trying to configure things to work properly.
I had to enable cookies for this site, popups, and a couple of other things, but I'm not getting anyone's signature photo yet.
I also noticed that the mods user names are in bold black, but not in blue or orange. Anyone know how to correct that?

I've got the signatures now. Mozilla needed some plug-ins.
 
The about:blank hijack is a new flavor of coolwebsearch, and it's a bad one. We've been trying to figure this one out at work for a couple of weeks. Seems as though it burries a cron task or some trigger that reactivates it after you've cleaned it out with hijackthis and other tools. It will keep comming back. The guy that wrote the cwshredder util was catching hell from the CWS shitheads and he stopped updating it and it will not shred this flavor of cws. You'll notice that there's a dll file that the hijack uses for the html code for the hijack, it'll be in the windows or system directory. Use HJT to find any kind of dll call which will then have a ?something.htm on the end. open the dll in notepad and see if it has html code in it. If it does, reboot in safe mode, open the file again with notepad, select all, delete, save, then mark the dll as read only. If you delete the file, the hidden trigger will copy another copy right back. Thie won't fix the hijack, but it will give the finger to the CWS assholes. I still have no idea where or how it keeps pulling the dll back, but it does. Sadly, the antispyware utils only clean up the second half of this one, not the root cause.

If anyone has any ideas, please LMK. All of the systems that we have seen with this one have had to been wiped and reloaded. Another thing to look for in the registry is a key named pendingfilerename. Just about every entry in this key will be a hijack attempt. Also check your hosts file (%system%\system\drivers\etc). This is the poop I have to do all day long, and I really wish I could have 10 minutes with these assholes and a hot iron.

Best of luck Rolex.
 
Great info, Error401, I knew this wouldn't be a pretty story.
Everything I read on this last night told me that it would continue coming back. Even when running all my virus scans and bot checks last night, one of the programs spent about 30 seconds with the definition 'about: blank'. Normally during scans, they go by faster than you can even see them.
I tend to think it worked hard to remove it, maybe it succeeded temporarily, but it will come back.
Do you know if it only infects IE ? So far I'm pleased with the speed this site is running at with Mozilla set as my default browser. From info I got yesterday, 'about blank' will slow down the computer as long as it's in there, but I'm not sure if it's everything, or just internet.
Every time I set up a new computer, I don't do ANYTHING till I've installed Norton System Works, install the latest definitions and scan the entire system. That makes me wonder how the browser hijacker got in here in the first place. Obviously it's going to be tough to get out, since it couldn't be stopped from getting in.
 
I got one that hijacked the start page as well as puts a tool bar at the bottom of the screen. It also gives me pop ups all the time.

After weeks of trying to get rid of it I switched to Firefox and haven't looked back.
Now that I found a spell checker that works with FF I may never going back to IE.
 
I just re-booted after running Roxio GoBack. I had to eliminate the installation of Mozilla Firefox. I noticed something different about my desktop icons, then went into windows explorer, and EVERY icon in the windows system had been changed to icons I had never seen before. Jpg icons were now light orange with a tiny photo, not the standard windows icon. No icon in the entire system was recognizable or familiar.
IE links on the desktop were now Mozilla icons instead of IE icons, and that's understandable, but not being able to destinguish a Jpg from a Bmp or Gif is not something I'm about to deal with.
Is this 'About: Blank's way of punishing me for installing another browser?

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Okay, Error.......You seem to know a lot more than I do, so maybe you'll want to see if the following procedure works. If it does, let me know, and then I'll try it. It's the best info I've been able to find in 2 days of searching. Apparently no spyware tools are able to eliminate it, and it needs to be done manually.


Removing about:blank Homepage Hijacker


Summary
Presented below are several tools and methods used to remove the about:blank homepage hijacker.


Details
Vulnerable Systems:
* Microsoft Internet Explorer

Homepage hijackers are an effect caused by some toolbar programs, trojans or malware. The hostile application changes the default homepage of Internet Explorer to something undesired and does not allow the user to set the homepage.

Below are several tools which can be used to find and remove malware which causes the effect. Presented here is also a manual step-by-step method of removing more persistent homepage hijackers.
Please reboot the machine after each step before checking if the removal was successful.

Spyware / trojan removal tools:
Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer. Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. If you see new toolbars in your Internet Explorer that you didn't intentionally install, if your browser crashes, or if you browser start page has changed without your knowing, you most probably have spyware.

CWShredder - A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks.

AVG antiVirus - An antivirus tool which also deals with some hijackers.

Manual step-by-step:
If a persistent hijacker is not removed by the tools listed above, manual removal should be used.

To Remove "About:Blank" Hijacker Adware In Windows XP Home edition Service Pack 1 with Internet Explorer 6.0
(probably works in NT and 2000 with some directory name changes only) follow this procedure:

Programs Needed:
* Reglite.exe

* Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)

* HiJackThis.exe

Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"

1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.

2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32

After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.

3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"

4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".

* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.

Finally delete the two .dlls ("hidden.dll" and "obvious.dll")

That's it! You should be running again

By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit from this hijacker. Time2Early found:
www.likesurfing.com
www.vn.msie.cc (the real web page)

They seem to be selling adware/spyware protection...
 
You know, I've been seriously thinking about doing that. This is the first time I've encountered a problem that couldn't be corrected, and I just don't want to let it beat me.
I have another computer here that I've almost emptied out, and what I might do is re-format it, then transfer all my files from this one, and start off new.
Even that's a lot of time.
 
I'm in the habit of reformatting my HDs every year or so on the PCs we use a lot.
This is where proper data management comes in handy. Keep all your data under My Documents and just back it up.

I recently went to a backup system that works well for me. Maxtor has an external HD that comes with a backup program that works well. Reload and get the computer as you like it with all your programs installed then Ghost it to the backup drive. Once that it done then make regular backup sets to the same external drive. Once that is done you can have a clean install with data up and running within an hour or two.

I know its all hindsight at this point but believe me when I say it will happen again. Plan for it now.
 
I do the same thing with my Macs, esp the laptop.

I ran into a couple more machines with the about:blank homepage today. The standard procedures/utils we use are

1) pull the HD and hook it up as the secondary master on a clean machine.
2) manually delete the temp files (will have to unhide files/folder)
a) windows\temp
b) windows\temp internet files (9x)
doc and settings\user profile\local settings\temp (and) temp internet files (2K and XP)
3) manually delete FLEOK, Alchem, TVMedia (and a slew of other knows poop)
4) delete the folders in the recycle bin (they will come back so it's safe to do this)
5) scan the drive (usually D:) with Ad-Aware and NAV, delete anything that is found, might have to manually delete the stuff that NAV finds but can't delete)
6) put the drive back in the original machine and boot to safe mode.
7) check the hosts file
8) add remove programs (anything suspecious, like tool bars and such)
9) run HJT and remove anything suspecious, but be careful of what you delete (some stuff is good)
10) run CWShredder
11) run any other antispyware utils you might use
12) run msconfig and see what is loading on boot.
13) run regedit, look under the hkcu\software key and delete stuff that you know is bad (FAT ASSED WARNING: if you don't know what you're doing in the registry, do not run regedit). If you want, run regedit, select the root and then click file: export, then save the reg file and email it to me.
14) Boot in normal mode and run all the again. Once you get it so it's pretty clean in normal mode, shut it down, restart, reboot, bring up IE a couple times, run some apps, restart, etc. If nothing changes, you got it cleaned up.

If that fails to fix it, you'll have to reload. I've spent days on machines before and the process of cleaning them out can be frustrating.

Best thing you can do is do back ups, and have a good ghost image. A pain, but it can save headaches.
 
Most of my files are already backed up on CDs, but I haven't updated my back ups in a few months.
When I reformat it, I will be adding a secondary HD for backing up.
 

Similar threads

CreepyQuarryCrawler
Blerg about werk
Replies
12
Views
351
CreepyQuarryCrawler
CreepyQuarryCrawler
biggman100
I'm not sure what to even think about this......
Replies
5
Views
259
Ritz413
Ritz413
A
I have a question about posting pictures?
Replies
7
Views
255
BashingBrian
BashingBrian
rc dump
A discussion category about RC shops with bad business practices
2
Replies
33
Views
937
rc dump
rc dump
WickedFog
Anyone know anything about mandolins?
Replies
7
Views
343
WickedFog
WickedFog

RC Builds

Back
Top