How you get it:
About:Blank homepage hijacker is a variation of a more advanced Cool Web Search hijacker. There are several variants of the About:Blank hijacker and all of them are difficult to remove manually. This hijacker is also referred to as the HomeOldSP hijacker because of the changes to the registry that can be seen using HijackThis such as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
This is very similar in characteristics to the random dll hijacker also known as HomeSearch Hijacker that came out around the same time. The key to the hijack is a hidden dll file that is connected to a BHO (Browser Hijack Object). This hidden dll file shows up in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Removing this About:Blank hijacker can be difficult. Its a very persistent problem that can return quickly if it is not removed carefully.
How you can remove it:
There are three basic proven ways that help remove this hijacker, a manual one, one using vbscripts and an automatic one used by a spyware removal program.
Manual Method:
The manual method of removing the About:Blank hijacker is probably the hardest since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.
Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file
Secondly, use the Windows Recovery Console in Windows XP to rename the file:
Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below.
Type cd \windows\system32 and press Enter.
Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite:
ATTRIB -R hidden.dll
Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
RENAME hidden.dll badfile.dll
Type Exit and press Enter to Reboot Windows.
ALTERNATE ACCESS TO RECOVERY CONSOLE:
If you still have Internet access, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any autostart menus:
Log onto the Internet.
Click on the Start button.
Click on Run.
Type the following in the RUN line and Press Enter:
D:\I386\WINNT32.EXE /CMDCONS
Make sure you use your CD Drive letter in place of the letter D above
The computer will start to install the Recovery Console and add it as a boot option.
Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and you should have the following option available to choose:
MICROSOFT WINDOWS RECOVERY CONSOLE
Choose your Windows Installation, usually by pressing 1 and pressing Enter.
Yah have to enter the Administrator password to gain access to the Windows Recovery Console. If yah do not know your Administrator password, you may try this to help with a bad or unknown Administrator password:
FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD:
In Windows
Click on Start.
Then Run and Type REGEDIT
Click on the plus signs (+) next to the following keys:
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS NT
CURRENTVERSION
SETUP
RECOVERY CONSOLE
Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK
Restart your computer in Recovery Console mode using the Windows XP or Windows 2000 CD.
Next yah hav emove the hidden.dll file from the registry.
Open RegLite.exe and navigate to the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Double-click on the AppInit_DLLs key, delete the name of the dll file in the Value Data field.
Apply the Changes and click OK.
Exit Registrar Lite.
Edit registry to remove the second file
Run HiJackThis and scan the registry. Check the boxes to remove the entries similar to the following:
R1 - HKCU\Software\Microsoft\InternetExplorer\Main,SearchBar=res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
The dll file shown in these lines (in this case its called xaiyh.dll) is the second problem file in the about:blank hijack.
Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer. In Windows XP/2000, you might also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files". This let you to easily find the dll files to delete them.
Last step, search for and delete the hidden.dll file found through reglite.exe and this second dll file found using HijackThis:
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the name of the hidden.dll filename you found using Reglite.exe. This file was renamed badfile.dll in our procedure. Search for it and delete it, then repeat this step for the dll filename you found using Hijackthis.
This should completely clean your system of the About:Blank homepage hijacker!!!
About:Blank homepage hijacker is a variation of a more advanced Cool Web Search hijacker. There are several variants of the About:Blank hijacker and all of them are difficult to remove manually. This hijacker is also referred to as the HomeOldSP hijacker because of the changes to the registry that can be seen using HijackThis such as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
This is very similar in characteristics to the random dll hijacker also known as HomeSearch Hijacker that came out around the same time. The key to the hijack is a hidden dll file that is connected to a BHO (Browser Hijack Object). This hidden dll file shows up in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Removing this About:Blank hijacker can be difficult. Its a very persistent problem that can return quickly if it is not removed carefully.
How you can remove it:
There are three basic proven ways that help remove this hijacker, a manual one, one using vbscripts and an automatic one used by a spyware removal program.
Manual Method:
The manual method of removing the About:Blank hijacker is probably the hardest since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.
Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file
Secondly, use the Windows Recovery Console in Windows XP to rename the file:
Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below.
Type cd \windows\system32 and press Enter.
Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite:
ATTRIB -R hidden.dll
Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
RENAME hidden.dll badfile.dll
Type Exit and press Enter to Reboot Windows.
ALTERNATE ACCESS TO RECOVERY CONSOLE:
If you still have Internet access, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any autostart menus:
Log onto the Internet.
Click on the Start button.
Click on Run.
Type the following in the RUN line and Press Enter:
D:\I386\WINNT32.EXE /CMDCONS
Make sure you use your CD Drive letter in place of the letter D above
The computer will start to install the Recovery Console and add it as a boot option.
Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and you should have the following option available to choose:
MICROSOFT WINDOWS RECOVERY CONSOLE
Choose your Windows Installation, usually by pressing 1 and pressing Enter.
Yah have to enter the Administrator password to gain access to the Windows Recovery Console. If yah do not know your Administrator password, you may try this to help with a bad or unknown Administrator password:
FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD:
In Windows
Click on Start.
Then Run and Type REGEDIT
Click on the plus signs (+) next to the following keys:
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS NT
CURRENTVERSION
SETUP
RECOVERY CONSOLE
Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK
Restart your computer in Recovery Console mode using the Windows XP or Windows 2000 CD.
Next yah hav emove the hidden.dll file from the registry.
Open RegLite.exe and navigate to the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Double-click on the AppInit_DLLs key, delete the name of the dll file in the Value Data field.
Apply the Changes and click OK.
Exit Registrar Lite.
Edit registry to remove the second file
Run HiJackThis and scan the registry. Check the boxes to remove the entries similar to the following:
R1 - HKCU\Software\Microsoft\InternetExplorer\Main,SearchBar=res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
The dll file shown in these lines (in this case its called xaiyh.dll) is the second problem file in the about:blank hijack.
Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer. In Windows XP/2000, you might also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files". This let you to easily find the dll files to delete them.
Last step, search for and delete the hidden.dll file found through reglite.exe and this second dll file found using HijackThis:
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the name of the hidden.dll filename you found using Reglite.exe. This file was renamed badfile.dll in our procedure. Search for it and delete it, then repeat this step for the dll filename you found using Hijackthis.
This should completely clean your system of the About:Blank homepage hijacker!!!
