Jump to content


about.blank cure

  • Please log in to reply
1 reply to this topic

#1 roneron



  • Full Member
  • Pip
  • 3 posts

Posted 14 July 2004 - 09:20 AM

I found the cure below on a number of web sites. I have not seen it on this one. Is there some validity to this? I just wanted an expert opinion.

I'm working on a machine that has got the about.blank, and have read every post I could and tried Ad-aware (following instructions), Spybot, FindNfix, about:buster, Hijack this, safemode, deleted files it just keeps coming back.

my post

The supposed cure ...
I just wanted to thank ComputerCops and Akadia in Thun,Switzerland for getting me on the right track!

Here is what I found to cure my situation of having home page hijacked to a pseudo "about:blank" page. By the way, the real web page is revealed below.

To Remove “About:Blank” Hijacker Adware In Windows XP Home edition Service Pack 1 with Internet Explorer 6.0 (probably works in NT and 2000 with some directory name changes only)

My Norton Antivirus did not detect this trouble and I’ve read Several confusing approaches that did not work for me.

Programs Needed:

Reglite.exe (available at “ http://www.resplende...oad/reglite.exe ”)

Microsoft Recovery Console
(an option available on your Windows CD or root drive) run “X:i386winnt32.exe /cmdcons” where “X” is either CD drive letter or is “C” for your root.

(available at “ http://download.com....4-10227352.html ”)

There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with “HiJackThis.exe”

1) With “Reglite.exe” find name of hidden file:

Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” The “value” window reveals the hidden file name. (mine was “hlpl.dll”, yours may be different!) In this example let’s call it “hidden.dll”

2) Rename the hidden file:

Close Windows and reboot using “Windows Recovery Console” Go to “c:Windowssystem32” and do two things. Change file from read only by typing “attrib –r hidden.dll” Then rename it (I don’t know why, but this procedure did not work until I renamed it) type “rename hidden.dll nasty.dll” (and remember that “hidden.dll” is for this explanation only use the name you found earlier) Type “exit” and reboot to Windows.

3) Edit registry to remove hidden file

Run “reglite.exe” again. Double Click on “AppInit_DLLs” located in “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows” Delete the file in “value” window, the “size” window changes also. “Apply” changes and exit “reglite.exe”

4) Edit registry to remove the second file

Run “HiJackThis.exe” and scan the registry. Check the boxes to remove the following entries:
“R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSSystem32jheckb.dll/sp.html (obfuscated)
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank” (as you can see my second .dll was called “jheckb.dll” yours may be different) For this example let’s call it “obvious.dll”.

Finally delete the two .dlls (“hidden.dll” and “obvious.dll”) You should be running again.

By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit. From this hijacker. I found:
www.vn.msie.cc (the real web page)

They seem to be selling “adware/spyware protection” Pass the word, Boycott them, Who needs to be extorted for “protection money”?

#2 cnm


    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 14 July 2004 - 10:29 AM

This is valid fix. But see http://forums.spywar...showtopic=12609 - note updates mentioned near end of thread - and also http://forums.spywar...indpost&p=53663
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!