|
|
| |
| Presented below are several tools and methods used to remove the about:blank homepage hijacker. |
| |
Credit:
The thorough step-by-step and example was taken from Time2Early post in
www.computercops.biz
|
| |
Vulnerable Systems:
* Microsoft Internet Explorer
Homepage hijackers are an effect caused by some toolbar programs, Trojans or malware. The hostile application changes the default homepage of Internet Explorer to something undesired and does not allow the user to set the homepage.
Below are several tools which can be used to find and remove malware that causes the effect. Presented here is also a manual step-by-step method of removing more persistent homepage hijackers. Please reboot the machine after each step before checking if the removal was successful.
Spyware / Trojan removal tools:
Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer. Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. If you see new toolbars in your Internet Explorer that you didn't intentionally install, if your browser crashes, or if you browser start page has changed without your knowing, you most probably have spyware.
CWShredder - A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks.
AVG antiVirus - An AntiVirus tool which also deals with some hijackers.
Manual step-by-step:
If a persistent hijacker is not removed by the tools listed above, manual removal should be used.
To Remove "About:Blank" Hijacker AdWare in Windows XP Home edition Service Pack 1 with Internet Explorer 6.0 (probably works in NT and 2000 with some directory name changes only) follow this procedure:
Programs Needed:
* Reglite.exe
* Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)
* HiJackThis.exe
Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"
1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.
2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console". Browse to the system32 directory located at: C:\Windows\system32\. Replace this path with your system32 directory. In order to know your system32 run cmd and type:
echo %WINDIR%\System32
After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll (and remember that "hidden.dll" is for this explanation only use the name you found earlier)
c) Type "exit" and reboot to Windows.
3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\. Delete the file in "value" window, the "size" window changes also. "Apply" changes and exit "reglite.exe"
4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different)
For this example let's call it "obvious.dll".
* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second DLL, in this example jheckb.dll.
Finally delete the two .dlls ("hidden.dll" and "obvious.dll").
That's it! You should be running again.
Another Manual Method:
If the top method failed to work (you could not locate the hidden .dll for example), try the following method suggested by NWG:
Step A:
1. Open HijackThis
2. Click Config
3.Check the: 'Mark everything found for fixing after scan' option.
4. Click Back
5. Click Scan
6. Click Fix checked
Step B:
1. Click Config
2. Click Misc Tools
3. OPEN ADS SPY.
4. Click Scan (this will find all hidden files that you will not see in the explorer)
5. Select all items (this has to me done manually)
6. CLICK REMOVE SELECTED
That's it.
Restart the machine, the machine should start brand new.
Final Notes:
By the way, if you go offline with Internet Explorer and type OK to these nasty adware windows you will see the guys who benefit from this hijacker. Time2Early found:
www.likesurfing.com
www.vn.msie.cc (the real web page)
They seem to be selling AdWare/Spyware protection...
|
| Subject:
|
Nice work ! |
Date: |
4 Jan. 2006 |
| From: |
king_krankoryahoo.com |
Wow I followed your tips and posted software on this page here http://www.securiteam.com/securityreviews/5RP0L0UD5U.html and it worked. I have my homepage back and that nasty registry stuff has been deleted.
THANK YOU !! |
|
| Subject:
|
Well done! |
Date: |
13 Jan. 2006 |
| From: |
FabioM |
| Thanks from Italy! I resolved my troubles with your tips. bye |
|
| Subject:
|
Long search, no result..... |
Date: |
1 Feb. 2006 |
| From: |
MeteorMark |
No Adware / Spyware remover (HitmanPro) and the procedure(s) on this site and others could rid me of the about:blank nuisance.......
It turned out to be caused by the recently installed Ad-Watch from Lava-Soft (AdAware)
By enabeling "e;Block possible Browser Hijacks"e; it sets the default homepage to about:blank and listed mine (Google...) as suspicious!
Turned that off and Hey Presto! It works again!
Conclusion:
Found a lot of other nice programs for keeping Spy/Mal/Ad-ware OUT.
Some programmes are to fussy about wat you do!
But anyhow, Thanks for the support! |
|
| Subject:
|
I finally got rid of about blank |
Date: |
4 Mar. 2006 |
| From: |
bellrose75ntl.sympatico.ca |
Open "e;HiJackThis"e;
Click Config
check that your default start page is really what you want, change it if it says "e;about blank"e;
click "e;back"e;
"e;Scan"e; and then "e;fix"e;
Your start page should be restored to what you want |
|
| Subject:
|
Doesnt work |
Date: |
25 Mar. 2006 |
| From: |
desert_rat_90hotmail.com |
| I'm having this problem and on reg lite when i double click AppInit.DLLs there's nothing in the value bar! Little help please? |
|
| Subject:
|
Doesnt work |
Date: |
12 Apr. 2006 |
| From: |
Chribba |
Exactly my problem too! There is no value, it is empty. What does that mean? If there still a .dll somewhere? (I haven't had the time to test yet, but if I write a value/name in the the empty field will I then be able to search for a .dll with that name?)
One spyware program found a program file called "e;userinit"e; in the system32 folder, is this the "e;hidden.dll"e; you think? If I try to delte it, manually or with a spyware program, it immediately re-appears. (If I understand correctly, what is happening is the AppInit.DLLs autorun is creating a file, this file() correct? So have a look for a file like that desert_rat, as you and I seem to have a new variant.
A third thing is that Hijack this doesn't find all those suspicious entries.
One final thing, what exactly is Windows Recovery Console? I put in my original Windows CD and got a message that the files on the CD were older than those on the system and that I therefore couldnt use it :-(
Any and all help appreciated! |
|
| Subject:
|
Same as above |
Date: |
22 Apr. 2006 |
| From: |
AntiOne |
I had this before and got rid of it but now it seems there is a variant out ther that these steps dont adhere to. I will check back here after a while. I can get around this buy opening a different search engine but all the same ya know!!!
Good luck and Happy Hunting!!! |
|
| Subject:
|
how to remove home page hijacker IT WORKS!!!!! |
Date: |
27 Apr. 2006 |
| From: |
mikey_227hotmail.com |
| I have found an easy way to remove the problem. Download a program called adware away with 5 day free trial. When you run it, press the X on the registration screen and the program will start. Click on specialized removers. Choose the second option and click next. Then click on details. It will give you the location in the registry and where the file is located. You will see a file that has the word process in font of it. Example (windows/system/32/dc.exe and then the file name) Bring up the task manager and go to processes. Then find dc.exe and click end process. dc.exe is an example. The file name can be anything. After you end it, delete the file listed in the registry. I only had to delete one registry file and end one process. You might have more. I haven't had a problem since. As soon as you do this set your homepage. I think that this is the easiest way!!! |
|
| Subject:
|
Confirmation of message from mikey222 |
Date: |
28 Apr. 2006 |
| From: |
AndyT |
I am definitely no expert but I tried the aforementioned suggestion by mikey_222 to eradicate about:blank after first trying everything else. Yes, it works using the free trial version of Ad Aware. But I'd recommend also following above suggestions on this page eg spybot was very good and found & removed a bunch of other malware too
Thanks for posting these suggestions! |
|
| Subject:
|
RE above |
Date: |
28 Apr. 2006 |
| From: |
andy |
| i have done that and found 2 different processes so i went to task manger and processes and deleted them but as soon as i deleted one of them the other poped back on and vice versa so if anyone can help please tell me |
|
| Subject:
|
AdWatch Block Possible Browser Hijacks |
Date: |
30 Apr. 2006 |
| From: |
WebGuy |
This posted by meteormark fixed my problem with "e;about:blank"e;
By enabeling "e;e;Block possible Browser Hijacks"e;e; it sets the default homepage to about:blank and listed mine (Google...) as suspicious!
thanx man
|
|
| Subject:
|
problem!! |
Date: |
17 May 2006 |
| From: |
pckilla |
| what if when you look at reglite at the place where the hijacker is supposed to be and the value is blank? what should i do then? |
|
| Subject:
|
about:blank |
Date: |
19 May 2006 |
| From: |
Bob |
| I used HijackThis.exe and it actually worked! After struggling with that nasty bugger for some time using spybot and Adware to no avail, HijackThis FIXED IT! I now have my home page back, and it sticks! THANK YOU THANK YOU THANK YOU! Bob |
|
| Subject:
|
about:blank |
Date: |
26 May 2006 |
| From: |
Carlos |
The Adware Away trick from micky_227 works perfectly.. AndyT also made a good suggestion to complete the process with spy ware check and so on.. Two other things to ad:
1. If you have multiple user account on your pc, you might find that you would need to repeat the process of every account.. I am not sure if that happened because I did not delete the 'hidden' file properly the first time. But in all cases, ensure that after you've ended the process and deleted the 'hidden' file in system32 directory, to run hijackthis to seal the deal and then change your home page in your IE Internet options. (HiJackThis config would do that anyway, but just to be sure).
2. You will find that Aware Away would also tell you where the exact Reg Value's location is, I used RegEdit and deleted that value.. that worked and I have a feeling that if you do this the first attempt you will not need to repeat the process in multiple accounts.
Cheers. |
|
| Subject:
|
good business |
Date: |
2 Jun. 2006 |
| From: |
Jim |
| Man, it's brilliant. The jackers make the virus then try to sell you the remedy. Very lucrative I have to say. Some people are real good at making money. |
|
| Subject:
|
about:blank |
Date: |
5 Jun. 2006 |
| From: |
HWO4Lifegmail.com |
| I am pretty sure I have a problem with the About:Blank hijacker. It keeps resetting my homepage to one that sells spyware protection and all that crap. Im really not very good with computers, so I dont understand a lot of the technical talk on this page. Can anyone guide me through what to do, and break it down Barney style for me? This is really driving me insane. Please, email me the soution to HWO4Life@gmail.com I would be most grateful. |
|
| Subject:
|
GREAt |
Date: |
9 Jun. 2006 |
| From: |
lily |
| Thank you very much this thing removed that dumb about:blank page I hate so much. |
|
| Subject:
|
you rock!!!! |
Date: |
10 Jun. 2006 |
| From: |
marine27adelphia.net |
| you rock!!!!!!! |
|
| Subject:
|
Nothing works... |
Date: |
26 Jun. 2006 |
| From: |
gwinn23yahoo.com |
| I've tried EVERYTHING on this page, as well as ad aware, Spybot, Kaspersky, CWShredder, Ewido, Hijack This and several others. The ads are all gone but my homepage still can't be changed from about:blank and hijack this is still showing the BHO:Nothing and about:blank start page no matter what I do. Manually editing the registry only works until I reboot, then it comes right back... is there any other solution ? |
|
| Subject:
|
PLEASE HELP ME-Cannot login to www.matchdoctor.com |
Date: |
26 Jun. 2006 |
| From: |
pelrizadohotmail.com |
Dear Staff of Securiteam.com,
I am a regular user of internet. I have recently
installed MOZILLA 1.5 , except IE 6.0. and I am very satisfied with it, but since some times
I have a problem I cannoot see the page http://www.matchdoctor.com
which I have used since a long time.
I am having very serious difficulties
in logging in site of Matchdoctor. I am a member of this site since
December 2004, but since November of the last year(2005) I
cannot open the matchdoctor site. I go
to the search engine of yahoo or google writting
down "e;matchdoctor.com"e; and then I can see
only a blank page and nothing else (it
is written "e;Done"e; in the bottom of the
left side of the computer).
I click
I go to cache and there it is
"e;written the following: "e;
Below is a cache of
http://www.matchdoctor.com
It's a snapshot of the page taken
as our search engine crawled the Web.
I can see the normal page of
matchdoctor but I cannot login even if
I write my username and password.
I have had many messages from this site
letting me know that I have been
missing in matchdoctor site for a long time. I
would very much appreciate your
help to relogin to www.matchdoctor.com.
Please help me as soon as
you can to open the site of
matchdoctor. I really need to check my
mailbox. I have written( an e-mail and a mail) to the staff of
matchdoctor, but I do not have any
answer from them. I was tried to open the page from some internet
coffees but I had the same problem, I can only see a blank page and
cannot
login. How can I(see the current page of matchdoctor to loggin in it?
What might have happened? is there any solution? Please help me.
Looking forward to your support.
Many thanks in advance.
Kindest regards
Maribel
e-mail:pelrizado@hotmail.com
|
|
| Subject:
|
Doesnt work! |
Date: |
1 Jul. 2006 |
| From: |
gee_88_2hotmail.com |
When I double click on the ?ppInit_DLLs? there is nothing in the ?alue?field.
Can anyone please help me out?! I really want to get rid of About:Blank.
Thanks. |
|
| Subject:
|
About:blank |
Date: |
5 Aug. 2006 |
| From: |
joey0048hotmail.com |
I seemed to pick up the problem when I put add ons to my browsers, IE and MFox. I am not being redirect (xp 2) but there is something running through the bottom icon tray with a blank white oblong on the right on a blue backgound, rushing in from the clock side, stopping at the proper icons, and darting back. I occationally am getting about blank pages on the IE window when first pulled up, and was fished when I was trying to go to ewido to take care of this, which it hasn't.
I did reglightexe. deleted, I am not sure what, but it said it was not windows, so it went. still a problem.
I did hijack this, but when doing step A, all things where checked. I knew this was not the way to go. When doing step B, I got no malware results to delete.
What next? That creepy icon is still loose in the machine, and I must use MFox, not a bad thing, but you need IE.
Please help!
Thank you |
|
| Subject:
|
About:Blank |
Date: |
12 Aug. 2006 |
| From: |
majicwandiatcoxdotnet |
Hey, I found a couple of copies of About:Home waiting in the queue for my Internet Options Home Page in the registry at: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0, and there were two more at HKEY_USERS\S-1-5-21-527237240-1604221776-839522115-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0 . Search "e;about:"e; (with the colon). I think the hijacker changed some of the surrounding values having to do with your home page. Oh, and, yep. They have a sense of humor too. When you hit "e;blank page"e; as your choice, About:Blank comes up.
Anyway, it did the same thing to both Spybot and HijackThis. On HijackThis it was obvious. The four search pages were all About:Blank. On Spybot you have to click on "e;browser pages"e; and then hit the arrow up top. That gives you a little box of home pages to choose from. Guess what? About:Blank is in the bucket.
As far as I'm concerned, SB and HT have been publically ass ridden.
BTW, I also used the rec up top on the valueless .dll files. We'll see how long that holds up.
|
|
| Subject:
|
help! |
Date: |
8 Sep. 2006 |
| From: |
robbielittlebritchesboutique.com |
| no .dll in my value field either - i need serious help here. Hijack this wont work, system restore won't work, I get porn popups so I can't even be on here when my kids are in the room... and even when I search for about:blank in google it hijacks my click throughs so I have to copy and paste the urls. |
|
| Subject:
|
Fire Fox Extention |
Date: |
11 Oct. 2006 |
| From: |
DNR |
I Have been using the "e;NoScript"e; extention for Mozilla Firefox and it has stoped about:blank from running while browsing the web. (noscript.net)
It only alows scripts from trusted sites to run.
In addition I use the "e;Adblock"e; extention to stop all adds I do not want to run. (http://adblock.mozdev.org/) |
|
| Subject:
|
help |
Date: |
18 Nov. 2006 |
| From: |
icioufa |
| use a different browser to go online with www.opera.com |
|
| Subject:
|
help for removal of about:blank |
Date: |
9 Jan. 2007 |
| From: |
storchmanaol.com |
| I need some help. I'm not technical sharp in computer language. Anyone out there help me with how to easily remove this problem in a step by step manner? Thanks. |
|
| Subject:
|
need help to remove about:blank |
Date: |
18 Aug. 2008 |
| From: |
yeye2aol.com |
| I do not understand the technical computer language used here. Can anyone take me step by step in layman's language to help me remove this problem? It is driving me crazy. I have tried the XoftspySE, Spyhunter, Regcure, McAfee and none of these programs have gotten rid of About:blank. Can someone please help me? I would greatly appreciate the assistance. Please send to yeye2@aol.com. |
|
|
|
|
