How did my homepage get set to About:Blank???
The About:Blank homepage hijacker is a variation of the more advanced Cool Web Search hijacker. There are several variants of the About:Blank hijacker and all of them are difficult to remove manually. This hijacker is also referred to as the HomeOldSP hijacker because of the changes to the registry that can be seen when using hijack this, like:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
It's VERY close in characteristics to the random dll Hijacker also known as HomeSearch Hijacker that came out around the same time. The key to the hijack is a hidden dll file that is connected to a BHO (Browser Hijack Object). This hidden dll file shows up in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Getting rid of About:Blank hijacker can be a bitch. Its a very tenacious problem that can return quickly if it is not removed carefully.
MANUAL METHOD:
The manual method of removing the About:Blank hijacker is probably the hardest, since if it is not followed ABSOLUTELY correctly it can return quickly. There are two programs that are needed to help with this removal. The 1st is Hijack This and the next is a registry program called Reglite.exe, which for some reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again!!!
Once you've downloaded HiJack this and Reglite, open Registrar Lite and navigate to the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file
Secondly, use the Windows Recovery Console in Windows XP to rename the file.
Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below
Type cd \windows\system32 and press Enter
Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite
ATTRIB -R hidden.dll
Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
RENAME hidden.dll badfile.dll
Type Exit and press Enter to Reboot Windows
ALTERNATE ACCESS TO RECOVERY CONSOLE:
If yah have Internet access still, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any autostart menus:
Log onto the Internet.
Click on the Start button.
Click on Run.
Type the following in the RUN line and Press Enter.
D:\I386\WINNT32.EXE /CMDCONS
Make sure yah use your CD Drive letter in place of the letter D above.
The computer will start to install the Recovery Console and add it as a boot option:
Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and yah should have the following option available to choose
MICROSOFT WINDOWS RECOVERY CONSOLE
Choose your Windows Installation, usually by pressing 1 and pressing Enter.
You'll have to enter the Administrator password to gain access to the Windows Recovery Console. If yah do not know your Administrator password, yah may try the procedure to help with a bad or unknown Administrator password.
FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD:
In Windows, click on Start, Run, and Type REGEDIT
Click on the plus signs (+) next to the following keys:
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS NT
CURRENTVERSION
SETUP
RECOVERY CONSOLE
Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK
Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD
Now, remove the hidden.dll file from the registry:
Open RegLite.exe and navigate to the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Double-click on the AppInit_DLLs key, delete the name of the dll file in the Value Data field, Apply the Changes and click OK then
Exit Registrar Lite.
Edit registry to remove the second file:
Run HiJackThis and scan the registry. Check the boxes to remove the entries similar to the following:
R1 - HKCU\Software\Microsoft\InternetExplorer\Main,SearchBar=res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
The dll file shown in these lines (in this case its called xaiyh.dll) is the second problematic file in the about:blank hijack!!!
Open My Computer and choose:
Tools, then click on
Folder Options,
click on the View tab and under Advanced Setting, choose
Show Hidden Files and Folders,
then click on OK and close My Computer.
In Windows XP/2000, yah might also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files". This will allow yah to easily find the dll files to delete them.
Lastly, search for and delete the hidden.dll file found through reglite.exe and this second dll file found using HijackThis.
Click Start, point to
Find or Search, and then
click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for" box, type, or copy and paste, the name of the hidden.dll filename yah found using Reglite.exe. This file was renamed badfile.dll in this procedure. Search for it and delete it, then repeat this step for the dll filename yah found using Hijackthis.
This should completely clean your system of the About:Blank homepage hijacker!!!
Good Luck!!!!
How can someone expect to get customers for spyware removal by giving them spyware. :nono: I've already run Norton virus removal, Panda online virus detection, Ad-aware with updates, and Spybot S&D. I still have the same damn problem. 
