?
Solved

Manual About Blank Page Removal

Posted on 2005-03-09
16
Medium Priority
?
1,074 Views
Last Modified: 2012-06-21
If anyone can give the steps on Manually removing the About:Blank Page. But, the removal process should only make use of FREE antispyware program that can be downloaded over the internet and the only registry editor is regedit.exe which is built in in windows operating system. The system is Windows XP (Home or Professional w/ or w/o SP1 or SP2). Please provide the complete steps in correct chronological order. I heard that about:blank has 8 variants I only require one removal process but if you can provide all for the 8 variants, it would be better. Also, if it requires a browser, only IE should be used. I only need the step by step process.
0
Comment
Question by:bandidosboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +5
16 Comments
 
LVL 5

Expert Comment

by:e_sandrs
ID: 13501261
Here's an ok writeup for the about:blank issue from http://www.pchell.com/support/aboutblank.shtml

The About:Blank homepage hijacker is a variation of a more advanced Cool Web Search hijacker. There are several variants of the About:Blank hijacker and all of them are difficult to remove manually. This hijacker is also referred to as the HomeOldSP hijacker because of the changes to the registry that can be seen using HijackThis  such as

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

This is very similar in characteristics to the random dll hijacker also known as HomeSearch Hijacker that came out around the same time. The key to the hijack is a hidden dll file that is connected to a BHO (Browser Hijack Object). This hidden dll file shows up in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Unfortunately removing this About:Blank hijacker can be difficult. Its a very persistent problem that can return quickly if it is not removed carefully.

How do I Remove the About:Blank homepage hijacker?

There are three basic proven methods that help remove this pesky hijacker, a manual one, one using vbscripts and an automatic one used by a spyware removal program.

MANUAL METHOD

The manual method of removing the About:Blank hijacker is probably the most difficult, since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this particular program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.

Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file

Secondly, use the Windows Recovery Console in Windows XP to rename the file.

    * Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below
    * Type cd \windows\system32 and press Enter
    * Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite

          ATTRIB -R hidden.dll

    * Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)

         RENAME hidden.dll badfile.dll

    * Type Exit and press Enter to Reboot Windows

ALTERNATE ACCESS TO RECOVERY CONSOLE

If you have Internet access still, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any autostart menus.
1) Log onto the Internet
2) Click on the Start button
3) Click on Run
4) Type the following in the RUN line and Press Enter

D:\I386\WINNT32.EXE  /CMDCONS

Make sure you use your CD Drive letter in place of the letter D above

5) The computer will start to install the Recovery Console and add it as a boot option.
6) Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and you should have the following option available to choose

MICROSOFT WINDOWS RECOVERY CONSOLE

7)  Choose your Windows Installation, usually by pressing 1 and pressing Enter.

You'll have to enter the Administrator password to gain access to the Windows Recovery Console. If you do not know your Administrator password, you may try the procedure to help with a bad or unknown Administrator password.

FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD

1) In Windows, click on Start, Run, and Type REGEDIT
2) Click on the plus signs (+) next to the following keys

    * HKEY_LOCAL_MACHINE
    * SOFTWARE
    * MICROSOFT
    * WINDOWS NT
    * CURRENTVERSION
    * SETUP
    * RECOVERY CONSOLE

3) Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK

4) Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD

Next, Remove the hidden.dll file from the registry

    * Open RegLite.exe and navigate to the following registry key

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    * Double-click on the AppInit_DLLs key, delete the name of the dll file in the Value Data field, Apply the Changes and click OK then Exit Registrar Lite.

Edit registry to remove the second file

Run HiJackThis and scan the registry. Check the boxes to remove the entries similar to the following:

R1 - HKCU\Software\Microsoft\InternetExplorer\Main,SearchBar=res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xaiyh.dll/sp.html#29126

The dll file shown in these lines (in this case its called xaiyh.dll) is the second problematic file in the about:blank hijack.

Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer. In Windows XP/2000, you may also want to uncheck the options for "Hide extensions for known file types" and "hide protected operating system files". This will although you to easily find the dll files to delete them.

Lastly, search for and delete the hidden.dll file found through reglite.exe and this second dll file found using HijackThis.

    * Click Start, point to Find or Search, and then click Files or Folders.
    * Make sure that "Look in" is set to (C:\WINDOWS).
    * In the "Named" or "Search for..." box, type, or copy and paste, the name of the hidden.dll filename you found using Reglite.exe. This file was renamed badfile.dll in our procedure. Search for it and delete it, then repeat this step for the dll filename you found using Hijackthis.

This should completely clean your system of the About:Blank homepage hijacker.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 13501474
What I had to do was use the microsoft spyware removal tool to get the start pages reset.  That fixed the probs
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13501603
I have found this tutorial:

http://www.besttechie.net/forums/index.php?showtopic=1488

Using Mozilla/Firefox, I don't have to deal with this kind of spyware...

Tolomir
0
7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

 

Author Comment

by:bandidosboy
ID: 13501679
Actually I've already read about that write up. But if you'll read my requirements, the only registry editor should be used is regedit.exe and I forgot to place that HijackThis is not an option as well. Actually, this question is for a write up in our group to pattern on. So if you have any ideas on how to fix.. kindly help.

About the microsoft antispyware, it was able to reset the start page but after a reboot, the about blank is back.
0
 
LVL 14

Expert Comment

by:spiderfix
ID: 13501966
>.Actually, this question is for a write up in our group to pattern on<<
Are you asking a question for school?
0
 
LVL 2

Expert Comment

by:kasper2003
ID: 13503383
unplug your pc from the network.
scan your pc with adware, "spybot serach and destory" and microsoft antispyware

reset all browser hijacks
remove all the spywares

restart your cmputer

you could try Spyware Doctor too, a free to try program..
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13503544
@ bandidosboy:

my tutorial @ http://www.besttechie.net/forums/index.php?showtopic=1488 satisfy your requirements...
0
 
LVL 12

Expert Comment

by:kneH
ID: 13504420
>>I forgot to place that HijackThis is not an option as well

Stop rendering my answers as useless before I even give em plz ;)


Anyways the only way to remove em manually is to go through the registry and knowing what should be in there and what should not be.....
0
 
LVL 5

Expert Comment

by:e_sandrs
ID: 13506084
Well, if you can't use HijackThis, just use the info in the writeup on the web page - which shows you the keys you would find with the tool - and manually delete them using Regedit.

I agree with spiderfix that adding these artificial limitations (only IE, no HijackThis, must be manual removal...) is making it sound like a school question, so maybe that's enough "help"
0
 

Author Comment

by:bandidosboy
ID: 13508736
This is not a school question. Its just that my team is currently handling calls about spywares and viruses issues. Our supervisors doesn't allow us to make use of Hijackthis and the only registry editor we are allowed to make use of is regedit. This is because we are under microsoft partner. This goes hand in hand with the browser that is to be used... obviously ... only IE (microsoft reason again). Anyway, about Tolomir's post, I'll try to ask my supervisor if this tool is allowed. If yes, I'll give the points to him. Anyway, I think we are allowed to make use of Silent runner VBS. If someone knows the process of making use of that instead of the Hijackthis log and make use of regedit for registry editing, that would be really great. About the posts that recommends Antispyware, Adaware, Spybot, we already tried that, but the about:blank wasn't removed.
0
 
LVL 14

Accepted Solution

by:
spiderfix earned 2000 total points
ID: 13509372
>>This is not a school question<<
Fair enough. Had to ask, it's against the agreement here at Experts-Exchange.

This is how I have been killing the newer versions of spyware manipulating Windows 2000/XP/2003
system restore features and the system volume information folder.

-----------------------------------------------------------
You have to manually kill the dropper of that spyware.

The dropper(s) hide in the _restore folder and even though shutting off xp system restore is suppose to delete
the restore points...the spyware alters Windows so the restore points remain. The _restore folder in Windows
XP is behind a double protected hidden area of Windows XP (permissions controlled).

Open a Windows Explorer and in the menu
Tools
Folder Options
View(tab)
uncheck "Hide protected operating system files (Recommended)"
put a check on "Show hidden files and folders"
click OK

Now to access the C:\System Volume Information folder you two-click it if your Windows XP was installed
selecting FAT32 as the file system format. If your Windows XP was installed selecting NTFS file system
format then there are more steps to be able to two-click, and access, the C:\System Volume Information
folder...these steps for NTFS are...

Start
Run...
type cmd hit enter
type cd\ hit enter
type
cacls "c:\system volume information" /E /G username:F
hit enter

...you can now two-click and access that folder via Windows Explorer and inside there is a folder named _restore*****.
***** = a bunch of numbers and letters, two-click that folder and you'll see a bunch of folders named RP*, delete
them all...and all files in there as well. When your done deleting all the files and folders in there (the actual restore points)
you MUST re-enable the permissions you shut off. You type the command...
cacls "c:\system volume information" /E /R username
...to turn it back on. username= your actual username you log on to XP with.
-----------------------------------------------------------
0
 
LVL 14

Expert Comment

by:spiderfix
ID: 13509431
Forgot to add to that...

...there is a file in the _restore***** folder "tracking.log" it won't delete. Just like some other windows system
files you can't delete it unless your not running Windows (booted to a CD or floppies).

Don't worry though it's not part of the spyware it's a Windows thing. Leaving it is fine.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13515551
To delety any file you can use this german program:

ftp://ftp.heise.de/pub/ct/listings/0506-252.zip

The trick is you start the file later.exe : You add with "hinzufügen" (add) the unwanted files. Press ok that is all you need, reboot, files gone.

All these files with be deleted during windows bootup.

This way you can even delete the registry... so be careful

Tolomir
0
 

Author Comment

by:bandidosboy
ID: 13562511
After I deleted the System Volume Information? Shouldn't I need to delete a specific DLL file? or EXE file? OR a registry entry? or a BHO folder? what would I do?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13562755
I've never had problems with this kind of spyware...

With Firefox and while using an account without adminrights. I'ts almost impossible to get infected....

Tolomir
0
 

Expert Comment

by:smoothly
ID: 20934064
Try this little program called Unlocker.

http://ccollomb.free.fr/unlocker/

Rigth click and "unlock" the file you want to delete/rename from running programs or services.
0

Featured Post

WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question