Fighting Spyware, Malware and Adware one File at a Time.
Navigation Links

Database of Spyware Home

About the Project

View the Database

Forums

Database of Spyware Site Map

Terms of Use

CWS.Aboutblank

Overview

Summary

 Hijacker that runs a Java applet. Requires older or unpatched version of Microsoft Internet Explorer.This variant does everything in its powers to redirect you to a domain owned by 1-se.com or to 213.159.118.226 (in Moscow, Russia). IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages. Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.

Alias

 Backdoor.Agent.ac [Kaspersky], Bck/Agent.E [Panda], Trj/StartPage.FH [Panda], Trojan.Win32.StartPage.ix [Kaspersky], Win32.Mersting.B [Computer Associates], Win32.Startpage.FZ [Computer Associates], Win32/Agent.AC trojan [Eset], Win32/DlMersting.BA.30720!Trojan [Computer Associates], Win32/Mersting.B!DLL!Trojan [Computer Associates], Win32/StartPage.IX trojan [Eset],

See Also

  CWS ·

Category

 Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Backdoor:  A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Homepage Hijacker:  Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Trojan:  Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Reasons For Retention

 Changes browser settings other than homepage, without user permission.
 

Origins

 

Group

 CoolWebSearch.com

Others By This Group

 CoolWebSearch· CWS· CWS.AddClass· CWS.AFF.IEDLL· CWS.AFF.MadFinder· CWS.AFF.ToonComics· CWS.AFF.WinShow· CWS.AlFaSearch· CWS.AlFaSearch.2· CWS.Bootconf· CWS.CameUp· CWS.Control· CWS.Cpan· CWS.Ctfmon32· CWS.Ctrlpan· CWS.DataNotary· CWS.DNSE· CWS.DNSErr· CWS.DNSRelay· CWS.DomPeek· CWS.DReplace· CWS.Dwinf· CWS.EHTTP· CWS.Excel10· CWS.Explorer32· CWS.Feads· CWS.GonnaSearch· CWS.GoogleMS· CWS.GoogleMS.2· CWS.GoogleMS.3· CWS.HomeSearch· CWS.IEFeats· CWS.IEFeats3· CWS.IEFeatsIUpdate· CWS.Image· CWS.Keymgrldr· CWS.Ld· CWS.LoadAdv.400· CWS.LoadAdv.401· CWS.LoadAdv.402· CWS.LoadAdv.403· CWS.LoadAdv.404· CWS.LoadAdv.405· CWS.LoadAdv.406· CWS.LoadAdv.407· CWS.LoadAdv.408· CWS.LoadAdv.409· CWS.LoadAdv.410· CWS.LoadAdv.411· CWS.LoadAdv.412· CWS.LoadAdv.413· CWS.LoadAdv.414· CWS.LoadAdv.415· CWS.LoadAdv.416· CWS.LoadAdv.417· CWS.LoadAdv.418· CWS.LoadAdv.419· CWS.LoadAdv.420· CWS.LoadAdv.421· CWS.LoadAdv.422· CWS.LoadAdv.423· CWS.LoadAdv.424· CWS.LoadAdv.425· CWS.LoadAdv.426· CWS.LoadAdv.427· CWS.LoadAdv.428· CWS.LoadAdv.429· CWS.LoadAdv.430· CWS.LoadAdv.431· CWS.LoadAdv.432· CWS.LoadAdv.433· CWS.LoadAdv.434· CWS.LoadAdv.435· CWS.LoadAdv.436· CWS.LoadAdv.437· CWS.LoadAdv.438· CWS.LoadAdv.439· CWS.LoadAdv.440· CWS.LoadAdv.441· CWS.LoadAdv.442· CWS.LoadAdv.443· CWS.LoadAdv.444· CWS.LoadAdv.445· CWS.LoadAdv.446· CWS.LoadAdv.447· CWS.LoadAdv.448· CWS.LoadAdv.449· CWS.LoadAdv.450· CWS.LoadAdv.451· CWS.LoadAdv.452· CWS.LoadAdv.453· CWS.LoadAdv.454· CWS.LoadAdv.455· CWS.LoadAdv.456· CWS.LoadAdv.457· CWS.LoadAdv.458· CWS.LoadAdv.459· CWS.LoadAdv.460· CWS.LoadAdv.461· CWS.LoadAdv.462· CWS.LoadAdv.463· CWS.LoadAdv.464· CWS.LoadAdv.465· CWS.LoadAdv.466· CWS.LoadAdv.467· CWS.LoadAdv.468· CWS.LoadAdv.469· CWS.LoadAdv.470· CWS.LoadAdv.471· CWS.LoadAdv.472· CWS.LoadAdv.473· CWS.LoadAdv.474· CWS.LoadAdv.475· CWS.LoadAdv.476· CWS.LoadAdv.477· CWS.LoadAdv.478· CWS.LoadAdv.479· CWS.LoadAdv.480· CWS.LoadAdv.481· CWS.LoadAdv.482· CWS.LoadAdv.483· CWS.LoadAdv.484· CWS.LoadAdv.485· CWS.LoadAdv.486· CWS.LoadAdv.487· CWS.LoadAdv.488· CWS.LoadAdv.489· CWS.LoadAdv.490· CWS.LoadAdv.491· CWS.LoadAdv.492· CWS.LoadAdv.493· CWS.LoadAdv.494· CWS.LoadAdv.495· CWS.LoadAdv.496· CWS.LoadAdv.497· CWS.LoadAdv.498· CWS.LoadAdv.499· CWS.LoadAdv.500· CWS.LoadAdv.501· CWS.LoadAdv.502· CWS.LoadAdv.503· CWS.LoadAdv.504· CWS.LoadAdv.505· CWS.LoadAdv.506· CWS.LoadAdv.507· CWS.LoadAdv.508· CWS.LoadAdv.509· CWS.LoadAdv.510· CWS.LoadAdv.511· CWS.LoadAdv.512· CWS.LoadAdv.513· CWS.LoadAdv.514· CWS.LoadAdv.515· CWS.LoadAdv.516· CWS.LoadAdv.517· CWS.LoadAdv.518· CWS.LoadAdv.519· CWS.LoadAdv.520· CWS.LoadAdv.521· CWS.LoadAdv.522· CWS.LoadAdv.523· CWS.LoadAdv.524· CWS.LoadAdv.525· CWS.LoadAdv.526· CWS.LoadAdv.527· CWS.LoadAdv.528· CWS.LoadAdv.529· CWS.LoadAdv.530· CWS.LoadAdv.531· CWS.LoadAdv.532· CWS.LoadAdv.533· CWS.LoadAdv.534· CWS.LoadAdv.535· CWS.LoadAdv.536· CWS.LoadAdv.537· CWS.LoadAdv.538· CWS.LoadAdv.539· CWS.LoadAdv.540· CWS.LoadAdv.541· CWS.LoadAdv.542· CWS.LoadAdv.543· CWS.LoadAdv.544· CWS.LoadAdv.545· CWS.LoadAdv.546· CWS.LoadAdv.547· CWS.LoadAdv.548· CWS.LoadAdv.549· CWS.LoadAdv.550· CWS.LoadAdv.551· CWS.LoadAdv.552· CWS.LoadAdv.553· CWS.LoadAdv.554· CWS.LoadAdv.555· CWS.LoadAdv.556· CWS.LoadAdv.557· CWS.LoadAdv.558· CWS.LoadAdv.559· CWS.LoadAdv.560· CWS.LoadAdv.561· CWS.LoadAdv.562· CWS.LoadAdv.563· CWS.LoadAdv.564· CWS.LoadAdv.565· CWS.LoadAdv.566· CWS.LoadAdv.567· CWS.LoadAdv.568· CWS.LoadAdv.569· CWS.LoadAdv.570· CWS.LoadAdv.571· CWS.LoadAdv.572· CWS.LoadAdv.573· CWS.LoadAdv.574· CWS.LoadAdv.575· CWS.LoadAdv.576· CWS.LoadAdv.577· CWS.LoadAdv.578· CWS.LoadAdv.579· CWS.LoadAdv.580· CWS.LoadAdv.581· CWS.LoadAdv.582· CWS.LoadAdv.583· CWS.LoadAdv.584· CWS.LoadAdv.585· CWS.LoadAdv.586· CWS.LoadAdv.587· CWS.LoadAdv.588· CWS.LoadAdv.589· CWS.LoadAdv.590· CWS.LoadAdv.591· CWS.LoadAdv.592· CWS.LoadAdv.593· CWS.LoadAdv.594· CWS.LoadAdv.595· CWS.LoadAdv.596· CWS.LoadAdv.597· CWS.LoadAdv.598· CWS.LoadAdv.599· CWS.LoadAdv.600· CWS.LoadAdv.601· CWS.LoadAdv.602· CWS.LoadAdv.603· CWS.LoadAdv.604· CWS.LoadAdv.605· CWS.LoadAdv.606· CWS.LoadAdv.607· CWS.LoadAdv.608· CWS.LoadAdv.609· CWS.LoadAdv.610· CWS.LoadAdv.611· CWS.LoadAdv.612· CWS.LoadAdv.613· CWS.LoadAdv.614· CWS.LoadAdv.615· CWS.LoadAdv.616· CWS.LoadAdv.617· CWS.LoadAdv.618· CWS.LoadAdv.619· CWS.LoadAdv.620· CWS.LoadAdv.621· CWS.LoadAdv.622· CWS.LoadAdv.623· CWS.LoadAdv.624· CWS.LoadAdv.625· CWS.LoadAdv.626· CWS.LoadAdv.627· CWS.LoadAdv.628· CWS.LoadAdv.629· CWS.LoadAdv.630· CWS.LoadAdv.631· CWS.LoadAdv.632· CWS.LoadAdv.633· CWS.LoadAdv.634· CWS.LoadAdv.635· CWS.LoadAdv.636· CWS.LoadAdv.637· CWS.LoadAdv.638· CWS.LoadAdv.639· CWS.LoadAdv.640· CWS.LoadAdv.641· CWS.LoadAdv.642· CWS.LoadAdv.643· CWS.LoadAdv.644· CWS.LoadAdv.645· CWS.LoadAdv.646· CWS.LoadAdv.647· CWS.LoadAdv.648· CWS.LoadAdv.649· CWS.LoadAdv.650· CWS.LoadAdv.651· CWS.LoadAdv.652· CWS.LoadAdv.653· CWS.LoadAdv.654· CWS.LoadAdv.655· CWS.LoadAdv.656· CWS.LoadAdv.657· CWS.LoadAdv.658· CWS.LoadAdv.659· CWS.LoadAdv.660· CWS.LoadAdv.661· CWS.LoadAdv.662· CWS.LoadAdv.663· CWS.LoadAdv.664· CWS.LoadAdv.665· CWS.LoadAdv.666· CWS.LoadAdv.667· CWS.LoadAdv.668· CWS.LoadAdv.669· CWS.LoadAdv.670· CWS.LoadAdv.671· CWS.LoadAdv.672· CWS.LoadAdv.673· CWS.LoadAdv.674· CWS.LoadAdv.675· CWS.LoadAdv.676· CWS.LoadAdv.677· CWS.LoadAdv.678· CWS.LoadAdv.679· CWS.LoadAdv.680· CWS.LoadAdv.681· CWS.LoadAdv.682· CWS.LoadAdv.683· CWS.LoadAdv.684· CWS.LoadAdv.685· CWS.LoadAdv.686· CWS.LoadAdv.687· CWS.LoadAdv.688· CWS.LoadAdv.689· CWS.LoadAdv.690· CWS.LoadAdv.691· CWS.LoadAdv.692· CWS.LoadAdv.693· CWS.LoadAdv.694· CWS.LoadAdv.695· CWS.LoadAdv.696· CWS.LoadAdv.697· CWS.LoadAdv.698· CWS.LoadAdv.699· CWS.LoadAdv.700· CWS.LoadAdv.701· CWS.LoadAdv.702· CWS.LoadAdv.703· CWS.LoadAdv.704· CWS.LoadAdv.705· CWS.LoadAdv.706· CWS.LoadAdv.707· CWS.LoadAdv.708· CWS.LoadAdv.709· CWS.LoadAdv.710· CWS.LoadAdv.711· CWS.LoadAdv.712· CWS.LoadAdv.713· CWS.LoadAdv.714· CWS.LoadAdv.715· CWS.LoadAdv.716· CWS.LoadAdv.717· CWS.LoadAdv.718· CWS.LoadAdv.719· CWS.LoadAdv.720· CWS.LoadAdv.721· CWS.LoadAdv.722· CWS.LoadAdv.723· CWS.LoadAdv.724· CWS.LoadAdv.725· CWS.LoadAdv.726· CWS.LoadAdv.727· CWS.LoadAdv.728· CWS.LoadAdv.729· CWS.LoadAdv.730· CWS.LoadAdv.731· CWS.LoadAdv.732· CWS.LoadAdv.733· CWS.LoadAdv.734· CWS.LoadAdv.735· CWS.LoadAdv.736· CWS.LoadAdv.737· CWS.LoadAdv.738· CWS.LoadAdv.739· CWS.LoadAdv.740· CWS.LoadAdv.741· CWS.LoadAdv.742· CWS.LoadAdv.743· CWS.LoadAdv.744· CWS.LoadAdv.745· CWS.LoadAdv.746· CWS.LoadAdv.747· CWS.LoadAdv.748· CWS.LoadAdv.749· CWS.LoadAdv.750· CWS.LoadAdv.751· CWS.LoadAdv.752· CWS.LoadAdv.753· CWS.LoadAdv.754· CWS.LoadAdv.755· CWS.LoadAdv.756· CWS.LoadAdv.757· CWS.LoadAdv.758· CWS.LoadAdv.759· CWS.LoadAdv.760· CWS.LoadAdv.761· CWS.LoadAdv.762· CWS.LoadAdv.763· CWS.LoadAdv.764· CWS.LoadAdv.765· CWS.LoadAdv.766· CWS.LoadAdv.767· CWS.LoadAdv.768· CWS.LoadAdv.769· CWS.LoadAdv.770· CWS.LoadAdv.771· CWS.LoadAdv.772· CWS.LoadAdv.773· CWS.LoadAdv.774· CWS.LoadAdv.775· CWS.LoadAdv.776· CWS.LoadAdv.777· CWS.LoadAdv.778· CWS.LoadAdv.779· CWS.LoadAdv.780· CWS.LoadAdv.781· CWS.LoadAdv.782· CWS.LoadAdv.783· CWS.LoadAdv.784· CWS.LoadAdv.785· CWS.LoadAdv.786· CWS.LoadAdv.787· CWS.LoadAdv.788· CWS.LoadAdv.789· CWS.LoadAdv.790· CWS.LoadAdv.791· CWS.LoadAdv.792· CWS.LoadAdv.793· CWS.LoadAdv.794· CWS.LoadAdv.795· CWS.LoadAdv.796· CWS.LoadAdv.797· CWS.LoadAdv.798· CWS.LoadAdv.799· CWS.LoadBAT· CWS.MadFinder· CWS.MSConfd· CWS.MSConfd.2· CWS.MSConfig· CWS.MSInfo· CWS.MSOffice· CWS.MSSearch· CWS.Msspi· CWS.MSTaskm· CWS.MSUpdate· CWS.MSUpdater· CWS.MSwsc10· CWS.MTwirl32· CWS.MUpdate· CWS.Notepad32· CWS.OEMSysPNP· CWS.OleHelp· CWS.OSLogo· CWS.QTTasks· CWS.Quicken· CWS.Rank· CWS.Searchmeup· CWS.Searchx· CWS.SmartFinder· CWS.SmartSearch· CWS.SoundMX· CWS.Svchost32· CWS.Svcinit· CWS.Sys· CWS.TapiCFG· CWS.TheRealSearch· CWS.Time· CWS.Vrape· CWS.Winproc32· CWS.Winres· CWS.XMLMimeFilter· CWS.XPlugin· CWS.XPSystem· CWS.XXXVideo· CWS.Yexe· DataNotary· RightFinder·

Mailing Address

 dirtyfiles.com, 113 South Main Street Apt. 1, Natick, MA 01760 USA

Date of Origin

 August, 2003

Place of Origin

 Russia
 

Detection and Removal

Manual Removal

 The 'about.blank' homepage hijacker is a difficult pest to remove. This pest consists of two dll files that defend each other from being deleted-if one is deleted, the other one regenerates it. The first file can be found by looking in the Windows System32 folder. The other is located in System32 as well, but is hidden and cannot be seen by just opening the folder and requires a Registry editing program. Both files have randomly generated names, so the files will have different names in different computers.

What to do about the 'about.blank' pest.

  1. The first option is to use a browser other than Microsoft Internet Explorer. The Mozilla, Mozilla Firefox, Opera, and Opera (Java) browsers are unaffected by this problem.
  2. The second option is to remove this pest by hand. We describe how to do this below.

Tools necessary:

  • Registry editing tool. Reglite is a free program that is up to the task. You can download it at http://www.resplendence.com/registry/reglite.htm Download this program and install it.
  • Windows Recovery Console
  • Operating system CD

Steps to take:

The goal is to remove both dll files in the System32 folder. It is possible to work out a set of steps to delete the "unseen" dll first or the "seen" dll first, as long done properly. Lets delete the visible dll first.

  • First
    • Look in the C:\Windows\System32 folder and sort on date by clicking on the 'Modified' tab at the top of the dates column. Find the visible dll, it should be at the top of column when sorted. Jheckb.dll is an example name of a file found by a user, yours will probably have a different name. Rename this file. Open CMD-shell by clicking Start>Run>cmd (or command). Type 'CD\windows\system32' then hit return. Next type 'rename,' hit the spacebar, type the name of the dll file found in system32, type DeleteMeAfterReboot, then hit enter.
    • Reboot your computer and delete this file.
  • Second
    • Open RegLite. Search the Registry for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\
      Windows\\AppInit_DLLs
    • Click on AppInit_DLLs to show the 'value data.' You should see something like: C:Windows\System32\"unseen.dll" A user reported wdm.dll as a dll name, yours will probably be different.
  • Third
    • Install and configure the Windows Recovery Console Option:
      1. Insert your operating system CD.
      2. Run your CD:\i386\winnt32.exe /cmdcons
      3. A dialog box comes up, telling you it takes some memory to install. Click yes to install. The boot menu should appear automatically, if it doesn't do the following: Right Click My Computer. Click Properties. Click Advanced Tab. Click Startup and Recovery Settings. Check Time to Display List of Operating Systems. Readjust the timeout to 30 seconds.
      4. Apply the settings, reboot, and in the recovery console you will see the new option.
    • Then in the Windows Recovery Console go to C:\Windows\System32, you will need full administrator rights, modify the file by using the Attrib command to erase it. Alternatively, you could rename the file.
      • C:\Winnt\System32: rename 'unseen.dll' (whatever the name is) to DeleteMeAfterReboot
      C:\Winnt\System32: attrib -R DeleteMeAfterReboot
  • Fourth
    • Reboot computer.
    • Open RegLite. Search again for: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\
      Windows\\AppInit_DLLs
    • Open AppInit_DLLs. Delete the 'Value:'
    • Open Internet Explorer. Click 'Tools' In the 'Address:' bar enter the homepage of your choosing.

 Stop Running Processes:

Kill these running processes with Task Manager:



Remove Autorun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\network service, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\network service, delete it and reboot the machine immediately.



Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:



Clean Registry:

Remove these registry items (if present) with RegEdit:



Remove Files:

Remove these files (if present) with Windows Explorer:



Restore Settings:

After following the instructions above, you will still need to restore your original settings and prevent this from happening again.
 
CWS  CWS.AFF.IEDLL  CWS.AFF.MadFinder  CWS.AFF.ToonComics  CWS.AFF.WinShow  CWS.Aboutblank  CWS.AddClass  CWS.AlFaSearch  CWS.AlFaSearch.2  CWS.Bootconf  
 
Site Map 2006 © Copyright DatabaseofSpyware.com. All rights reserved. Terms of Use
Another Proud Thor Schrock Development