Computers Q and A - Part #4

Computers 1 - Computers 2 - Computers 3 - Computers 4 - Internet

Q. OK, I have tried everything from Spybot, to Ad-Aware, and this is getting out of hand. I am working on my cousin's computer to clean it up from Spyware and hijackers and I cannot get this "about: BLANK" removed. I have looked deep into the hard-drive and I still cannot find it. The computer is an Hp Pavilon with a 1.6ghz Pentium 4 and it is running Windows XP. It has 256mb DDR SD-RAM.

A. This parasite is particularly difficult to remove. There is a program whose trial version should remove it. The program is Ad-aware Away: www.adwareaway.com.

If you prefer a manual method, www.pchell.com offers this approach:

How did my homepage get set to about:Blank?
The about:Blank homepage hijacker is a variation of a more advanced Cool Web Search hijacker. There are several variants of the about:Blank hijacker and all of them are difficult to remove manually. This hijacker is also referred to as the HomeOldSP hijacker because of the changes to the registry that can be seen using HijackThis, such as
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank

This is very similar in characteristics to the random .dll hijacker also known as HomeSearch Hijacker that came out around the same time. The key to the hijack is a hidden .dll file that is connected to a BHO (Browser Hijack Object). This hidden .dll file shows up in the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs

Unfortunately removing this about:Blank hijacker can be difficult. It's a very persistent problem that can return quickly if it is not removed carefully.

How do I Remove the about:Blank homepage hijacker?
There are three basic proven methods that help remove this pesky hijacker: A manual one, one using vbscripts, and an automatic one used by a Spyware removal program.

MANUAL METHOD
The manual method of removing the about: Blank hijacker is probably the most difficult, since if it is not followed correctly it can return quickly. Two programs are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe. This particular program, for whatever reason, seems to be able to find the hidden .dll file without the hijacker trying to undo the work and attack the system again.
Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows

Look for the Key named AppInit_DLLs. The value in this key is the hidden .dll file that is causing your problems. Write down the name of this file and think of it as the hidden .dll file.

Secondly, use the Windows Recovery Console in Windows XP to rename the file.

1. Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option shown below.
2. Type cd windowssystem32 and press Enter.
3. Type the following line to remove the read-only characteristic, replacing "hidden.dll" with the name of the .dll file found with RegLite: ATTRIB -R hidden.dll
4. Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename):
   RENAME hidden.dll badfile.dll
   
5. Type Exit and press Enter to Reboot Windows.

ALTERNATE ACCESS TO RECOVERY CONSOLE
If you have Internet access still, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any auto start menus.

1. Log onto the Internet.
2. Click on the Start button.
3. Click on Run.
4. Type the following in the RUN line and Press Enter:
   D:I386WINNT32.EXE /CMDCONS
   Make sure you use your CD Drive letter in place of the letter D above.
5. The computer will start to install the Recovery Console and add it as a boot option.
6. Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and you should have the following option available to choose: Microsoft Windows Recovery Console
7. Choose your Windows Installation, usually by pressing 1 and pressing Enter.

You'll have to enter the Administrator password to gain access to the Windows Recovery Console. If you do not know your Administrator password, you may try the procedure to help with a bad or unknown Administrator password.

FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD

1. In Windows, click on Start, Run, and Type REGEDIT.
2. Click on the plus signs (+) next to the following keys:
   • HKEY_LOCAL_MACHINE
   • SOFTWARE
   • MICROSOFT
   • WINDOWS NT
   • CURRENTVERSION
   • SETUP
   • RECOVERY CONSOLE
3. Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK.
4. Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD.

Next, Remove the hidden.dll file from the registry.

• Open RegLite.exe and navigate to the following registry key:
  HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs
• Double-click on the AppInit_DLLs key, delete the name of the .dll file in the Value Data field, Apply the Changes and click OK, then Exit Registrar Lite.

Edit registry to remove the second file.
Run Hijack This and scan the registry. Check the boxes to remove the entries similar to the following:
R1 - HKCUSoftwareMicrosoftInternetExplorerMain, SearchBar=res://C:WINDOWSsystem32xaiyh.dll/sp.html#29126
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain, Search Page = res://C:WINDOWSsystem32xaiyh.dll/sp.html#29126
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain, Default_Page_URL = about: blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain, Default_Search_URL = res://C:WINDOWSsystem32xaiyh.dll/sp.html#29126
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain, Search Bar = res://C:WINDOWSsystem32xaiyh.dll/sp.html#29126
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain, Search Page = res://C:WINDOWSsystem32xaiyh.dll/sp.html#29126
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = res://C:WINDOWSsystem32xaiyh.dll/sp.html#29126

The .dll file shown in these lines (in this case its called xaiyh.dll) is the second problematic file in the about: blank hijack. Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer. In Windows XP/2000, you may also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files." This will although you to easily find the dll files to delete them.

Lastly, search for and delete the hidden.dll file found through reglite.exe and this second .dll file found using Hijack This.

• Click Start, point to Find or Search, and then click Files or Folders.
• Make sure that "Look in" is set to (C:WINDOWS).
• In the "Named" or "Search for..." box, type or copy and paste the name of the hidden.dll filename you found using Reglite.exe. This file was renamed badfile.dll in our procedure. Search for it and delete it, then repeat this step for the .dll filename you found using Hijack this.

This should completely clean your system of the about: Blank homepage hijacker.

Visit our Community Forums for more answers to your home improvement questions.

Computers 1 - Computers 2 - Computers 3 - Computers 4 - Internet