About:Blank

About:Blank is another name for the CoolWebSearch morphing spyware. As mentioned in the CoolWebSearch article, this is one of the most insidious and prevalent spyware programs currently on the net, largely because it is nearly impossible to remove. This particular spyware has been one of the most active malware threats since October, 2004.

About:Blank displays the following characteristics:

1. Replaces your home page with a new one titled "about:blank". This page contains a pseudo-search engine with various subjects like "art", "cars", and "shopping".
2. Installs a Browser Helper Object into Internet Explorer. This BHO consumes system resources and slows down your internet connection.
3. Restores itself after its file directory is deleted.
4. Restores its registry settings once they have been deleted.
5. Is difficult to remove from memory.
6. Starts with the operating system. If you remove it from the auto-start settings, it will restore itself there.
7. Later versions change their executable to avoid detection by the simple hash recognition algorithms that most anti-spyware products use.
8. May also store executable code in your temporary internet explorer files.

Effective Removal Tools

CWShredder will remove older variants, but because it is no longer being updated, it generally doesn't work anymore.

PCTools Spyware Doctor, Webroot Spy Sweeper, and MaxSecure Spyware Detector detect About:Blank and we have seen these products remove different variants of this threat.

Finally, here is another page with extended About:Blank / CWS removal procedures. Use at your own risk!

Manual Removal Instructions

Manual removal of this threat is very difficult and usually will not be successful. You also run the risk of permanently disrupting your internet connection, however in most cases the worst that will happen is that the program will immediately return. You should only attempt these steps if you are a computer expert. Use at your own risk!

To remove this program, follow these steps:

1. Click on "Start" menu, then "Run...".
2. Type "regsvr32.exe"
3. Navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

4. If this key contains an entry called AppInit_DLLs, you may be in luck. This is the name of a hidden dll file that is allowing About:Blank to run. Record the name of this file.

5. You must now remove this .dll. The easist way to do it is to reboot the computer in safe mode, however this may not work depending on the version you are infected with. If it doesn't work, proceed to step 6.

A. Reboot the computer in safe mode (press Shift-F8 when booting).
B. Select "Safe Mode with Command Prompt"
C. Navigate to the folder containing the file.
D. Rename it by typing "Rename [badfilename].dll AboutBlank.dll
E. Reboot

6. If step 5 didn't work, you will need to boot into Windows Recovery Console to rename the file.

A. Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD
B. Type cd \windows\system32 and press Enter
C. Type the following line to remove the read-only setting:
ATTRIB -R [badfilename].dll
D: Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)
E. Rename it by typing "Rename [badfilename].dll AboutBlank.dll
F. Type "Exit" to reboot

Also Known As: About:Blank, CoolWebSearch, HomeOldSP.