About:blank infection

December 2016




This solution has been compiled by a working group and was made from numerous proposals posted in open forums. It has been tested successfully on several infected computers. There may be simpler solutions.

You can distribute it, correct it or suggest alternatives.

All software mentioned are copyrighted and can be downloaded from the Internet.



Software used:AboutBuster, HijackThis, Avast!, Ad-Aware SE Personal, SpywareBlaster.

Symptoms of infection


About: Blank is a Trojan horse that runs at the startup page of Internet Explorer and redirects you to a commercial website. In a variant, it also redirects the search page and all the research to a particular page. After some time of use (usually 20 min approx.), It seems that it becomes impossible to load a different page than the commercial site.

Modus operandi


About: Blank creates DLLs in Windows and System32 folders. It use them as executables. These DLLs have names that invite the "naive user" to consider them as system files ans therefore omit to delete them and when it comes to "the expert users" they can't determine which file to delete. In addition, the root of About: Blank is "partitioned" on multiple computer programs (especially on "over-layers" of images). Apparently, it has the peculiarity to reconstruct its code from any part, so if everything is not deleted, it will quickly re-intall.

Disinfection


Close all open programs (especially Internet Explorer because if it is launched, About: blank will be re-installed).
  • 1 - First, start Aboutbuster, which will remove a very large part of the DLLs installed by About: Blank.
  • 2 - Then, run HijackThis and:
    • Delete all lines that points to commercial sites.
  • If you ever have a doubt about these lines, you can always post it on the appropriate forum.
  • 3 - Then run Avast an clean all the "visible" files related About: Blank. Some files are inaccessible, for now.
  • 4 - Restart in Safe Mode (press F8 or F5 repeatedly at startup and choose the option). Run Avast again. If files are still inaccessible, set an automatic launch of the anitvirus software at next start up, with the option to correct the files. (And if it does not work, use the Delete Files option )
  • 5 - Restart in normal mode. Run Ad-Aware SE will first clean the harmful files that remain.
  • 6 - Run and use SpywareBlaster Tools for correcting the homepages and search feature. Do not close for now.

Protection: To protect the computer from a subsequent infection

  • 1 - with SpywareBlaster, enable the protections resident on the list.
  • 2 - For users of Mozilla, re-run Ad-Aware SE and use the options available.
  • 3 - Start the Avast resident protection (which is normally enabled by default)
    • Note that: You can use Stinger to complete the cleaning process.



Related :

This document entitled « About:blank infection » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.