About:blank Will NOT Go Away!

Discussion in 'adware, spyware & hijack cleaning' started by pdmike, May 12, 2004.

Thread Status:
Not open for further replies.
  1. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    My various anti-spyware programs tell me I have a spyware file on my computer. The file is listed as: C\Windows\System\chgj.dll.

    The problem is that when I go to C\Windows\System, I cannot find the file
    (chgj.dll) to delete it. It is not there. My Windows Explorer tells me it is there when I use Tools\Find File - but when I go there to find it and delete it, it is not visible anywhere in the Windows\System folder.

    How can you delete something you can't see?

    In the meantime, I keep getting recurring attempts to change my browser home page. I have a program called WinPatrol that faithfully tells me every time an attempt to change my home page is being made. When I am up and running, this happens every five minutes or so.

    I run CWShredder each time and, each time, CWShredder tells me it has fixed one, infected Registry entry. If I rerun CWShredder immediately, it tells me that my computer is clean. Then, WinPatrol tells me another attempt has been made to change my home page, and the cycle starts all over again.

    What else? Oh yes . . . here is my most recent Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:50:57 AM, on 5/12/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    F:\BROWSER HIJACK BLASTER\BHBLASTER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CHGJ.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.windowenhancer.com/nph-search.cgi?affid=sesm1&look=stmpl1&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.windowenhancer.com/nph-search.cgi?affid=sesm1&look=stmpl1&sstring=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} (SpeedCtrl Class) - http://www.atelys.com/src/Speedup.ocx

    Since the home page that always wants to replace my existing home page is a home page that calls itself, about:blank, and since I see there is a reference to about:blank in my log (R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank), I suspect I am in trouble.

    It seems to me that there is something on my computer that constantly wants to make a change (or changes) in my registry - changes that always result in the about:blank home page moving in on my browser.

    PLEASE help, if you can! I have been fighting this thing for two weeks now and am getting more than a little frustrated, to say the least.

    Thank you.

    pdmike
    (if you like, you can reach me directly at pdmike@aol.com)
     
  2. Axeman

    Axeman Registered Member

    Joined:
    May 10, 2004
    Posts:
    4
    Location:
    Massachusetts, USA
    Running CWShredder in "Safe Mode" worked for me (I have windows ME). Press and hold the F8 key during start-up, that should get you to the prompt for safe mode (if it isn't F8, it could be Esc or Ctrl). If you have system restore, disable it before you boot into safe mode and re-enable after you rid yourself of this pest. To disable system restore: Right click My Computer, select properties. Click Troubleshooting tab, click File System Button, if you have system restore it will be there, just uncheck it and hit apply. -
    Good Luck,
    Axeman
    PS-Don't forget to turn on System Restore again after you kill the bug.
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi pdmike,

    Can you download this tool please? :

    StartDreck

    unzip ->DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Post log here please

    Thnx!

    Cheers,
     
  4. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Trying to download StartDreck but having difficulty doing it. Another problem I have been having (I think it is related to spyware problem) is that I cannot download very many things. I clock on the download link, the hour glass comes on for several seconds and then goes off. Nothing appears in the task bar to indicate that any download is taking place and nothing ever happens after that.

    Thanks for your concern. Any other thing I can do if I can't get StartDreck?

    pdmike
     
  5. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Re: unknow trojan keeps resttingexplore homepage

    If it's any consolation, you have just described my problem exactly. I get the same message from CWShredder about the 6 infected registry items. CWShredder also tells me that it has removed CWS.searchx - probably tells you the same thing.

    And, like you, the infuriating about:blank keeps coming back, and back, and back.

    I spent over an hour on the phone with one of the Indian guys from Microsoft. He basically said he couldn't help me unless I was willing to take a chance on wiping out my computer. Excuse me? Know what his advice ultimately was? Live with the problem until you can back up your entire hard disk. Then check all the boxes in Hijack This and begin firing. If it works, great. If not, oh well . . .

    I have a really old computer with Windows 98 on it and a whole bunch of programs I love. Guess I'll back 'em all up and then call Dell.

    This reply is no substantive help at all, I know; but perhaps it might make you feel better to know you are not alone.

    pdmike
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
Thread Status:
Not open for further replies.