Steps to take if you have spyware that is not removed by
Microsoft Windows
AntiSpyware (beta)
1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so they can
anªlyze quickly
By doing these steps before trying something new, you make
the product better.
Thanks again for testing the betª!!!!
The About:Blank homepage hijacker is a variation of a more
advanced Cool Web Search hijacker. There are several
variants of the About:Blank hijacker and all of them are
difficult to remove manually. This hijacker is also
referred to as the HomeOldSP hijacker because of the
changes to the registry that can be seen using HijackThis
such as
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,HomeOldSP = about:blank
This is very similar in characteristics to the random dll
hijacker also known as HomeSearch Hijacker that came out
around the same time. The key to the hijack is a hidden
dll file that is connected to a BHO (Browser Hijack
Object). This hidden dll file shows up in the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\\AppInit_DLLs
Unfortunately removing this About:Blank hijacker can be
difficult. Its a very persistent problem that can return
quickly if it is not removed carefully.
There are three basic proven methods that help remove this
pesky hijacker, a manual one, one using vbscripts and an
automatic one used by a spyware removal program.
MANUAL METHOD
The manual method of removing the About:Blank hijacker is
probably the most difficult, since if it is not followed
absolutely correctly it can return quickly. There are two
programs that are needed to help with this removal. The
first is HijackThis and the next is a registry program
called Reglite.exe, this particular program for whatever
reason seems to be able to find the hidden dll file
without the hijacker trying to undo the work and attack
the system again.
Once you've downloaded HijackThis and Reglite, open
Registrar Lite and navigate to the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows
Look for the Key named AppInit_DLLs, the value in this key
is the hidden dll file that is causing your problems.
Write down the name of this file and think of it as the
hidden.dll file
Secondly, use the Windows Recovery Console in Windows XP
to rename the file.
Restart the computer in Recovery Console mode using the
Windows XP or Windows 2000 CD or by the option show below
Type cd \windows\system32 and press Enter
Type the following line to remove the read-only
characteristic, replacing hidden.dll with the name of the
dll file found with RegLite
ATTRIB -R hidden.dll
Rename the hidden.dll file by typing the following command
(replacing the word hidden.dll with the actual filename)
RENAME hidden.dll badfile.dll
Type Exit and press Enter to Reboot Windows
----------------------------------------------------------
ALTERNATE ACCESS TO RECOVERY CONSOLE
If you have Internet access still, place your Windows XP
or Windows 2000 CD in the Drive and cancel out of any
autostart menus.
1) Log onto the Internet
2) Click on the Start button
3) Click on Run
4) Type the following in the RUN line and Press Enter
D:\I386\WINNT32.EXE /CMDCONS
Make sure you use your CD Drive letter in place of the
letter D above
5) The computer will start to install the Recovery Console
and add it as a boot option.
6) Once installed, you'll be able to restart your computer
and press F8 to start the Boot Menu. Press the ESC key and
you should have the following option available to choose
MICROSOFT WINDOWS RECOVERY CONSOLE
7) Choose your Windows Installation, usually by pressing
1 and pressing Enter.
You'll have to enter the Administrator password to gain
access to the Windows Recovery Console. If you do not know
your Administrator password, you may try the procedure to
help with a bad or unknown Administrator password.
FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD
1) In Windows, click on Start, Run, and Type REGEDIT
2) Click on the plus signs (+) next to the following keys
HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS NT
CURRENTVERSION
SETUP
RECOVERY CONSOLE
3) Double-click on the option SECURITYLEVEL in the right-
hand column and change the Value Data number to 1 then
press OK
4) Restart the computer in Recovery Console mode using the
Windows XP or Windows 2000 CD
----------------------------------------------------
Next, Remove the hidden.dll file from the registry
Open RegLite.exe and navigate to the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
Double-click on the AppInit_DLLs key, delete the name of
the dll file in the Value Data field, Apply the Changes
and click OK then Exit Registrar Lite.
Edit registry to remove the second file
Run HiJackThis and scan the registry. Check the boxes to
remove the entries similar to the following:
R1 -
HKCU\Software\Microsoft\InternetExplorer\Main,SearchBar=res
://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\xaiyh.dll/sp.html#29126
The dll file shown in these lines (in this case its called
xaiyh.dll) is the second problematic file in the
about:blank hijack.
Open My Computer and choose Tools, then click on Folder
Options, click on the View tab and under Advanced Setting,
choose Show Hidden Files and Folders, then click on OK and
close My Computer. In Windows XP/2000, you may also want
to uncheck the options for "Hide extensions for known file
types" and "hide protected operating system files". This
will although you to easily find the dll files to delete
them.
Lastly, search for and delete the hidden.dll file found
through reglite.exe and this second dll file found using
HijackThis.
Click Start, point to Find or Search, and then click Files
or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and
paste, the name of the hidden.dll filename you found using
Reglite.exe. This file was renamed badfile.dll in our
procedure. Search for it and delete it, then repeat this
step for the dll filename you found using Hijackthis.
This should completely clean your system of the
About:Blank homepage hijacker.
VBSCRIPTS REMOVAL METHOD
A company called Silent Runners has come up with several
Visual Basic Scripts used in conjunction with Registar
Lite 2.0 to remove the About:Blank version of the CWS Cool
Web Search hijacker. You can visit their website and read
through the instructions by clicking on the following link:
http://www.silentrunners.org/sr_cwsremoval.html
AUTOMATIC REMOVAL METHOD
A new adware removal program called Adware Away has proven
very successful in removing the About:Blank homepage
hijacker along with many other hijacker type programs.
They have a trial version that is fully functional which
allows most people to remove the About:Blank hijacker
without having to purchase it. The trial version of Adware
Away seems to last between 5 to 7 days before timing out
and requiring payment. You can visit their webpage and
download a trial of Adware Away by clicking on the
following link. You may also purchase the program for
$29.95.
I recommend this program for instances where the manual
removal methods dont work. Currently there are about 5
variants of the About:Blank homepage hijacker and Adware
Away handles all these variants.
http://www.adwareaway.com/aboutblank.htm