Spyware Blaster, Spyware Guard, about:blank fixes

I’ve just spent nearly three days working on an infected W98SE machine that had a pile of problems. A lot of the bugs were minor but there were several that were VERY hard to clean out.

They involved “about:blank” with the associated trojan Startpage.16.M\se.dll annoyance, plus an extremely annoying issue with Spyware Blaster not installing. In my case,not only would Spyware Blaster not install, SpyWare Guard would install but not update, and a Stinger-like app called MWav from MicroWorld.com, which reportedly removed some related baddies, refused to run.

I’m posting the fixes here in case they can help someone else.

Note that, as with most techs I guess, I try so many fixes, so quickly, that it’s sometimes difficult to retrace my steps when I come to record what I did and in what sequence. So bear with me if the timing doesn’t make sense.

The original problem seemed to be “about:blank”, which was associated with a Trojan called Startpage.16.M and a problem file, se.dll. When Internet Explorer was started, the homepage would default to a search engine which offered links to Casinos, drugs, pornsites etc – all the usual stuff. Unfortunately, there were no links to sites which offered to track down and castrate the brainless little fleas who were responsible for this sleazy garbage, otherwise I might have patronized the service

Needless to say, I tried the usual armory of fixes; HiJackThis 1.9.1, several AV progs, SpyBot, Pest Patrol, AdAware, four or five CWShredder fixes, and many others, all without success.

As the problem seemed to be connected with dlls, I searched My Computer for *.dll, then when the search had finished, I clicked the ‘date modified’ column to see which dlls had been recently added.

Two showed up as having been installed within a few days, HOJHDFA.dll and AAAO.dll.

Leaving those dlls undisturbed for the moment, I checked the source code of the loaded search engine,(the site which came up first after connecting to the net) and the first entry was a series of “%43%54%34”-type numbers. I knew these figures could be rationalized into a source URL at www.simplelogic.com, so I went there, clicked on Resources\Developer Utilities\URLDecode and pasted the copied string into the search box, then hit ‘Clean Data’ . The answer identified C:\Windows\HOJHDFA.dll as the url originator.

On the strength of this, I booted to DOS and renamed HOJHDFA.dll and AAAO.dll to ..old. Treating AAAO.dll in this way was just a hunch, based on the contemporaneous timing of the install of the two dlls. However, it turned out I was correct, as you’ll see later.

After a Windows restart, HiJackThis found no recurring infections and I was able to nominate a homepage that remained constant through several restarts of Internet Explorer.

The next step was to find out why Spyware Blaster wouldn’t install. The problem was that, following the install, when trying to run SB for the first time, a pop-up said:

“This program has been damaged possibly by a bad sector on the hard drive or a virus. Please reinstall it”.

After hours on the net, I found a link to a post by ‘Pinkyhorse’ (thanks, whoever you are!) which noted that RegMon would reveal whatever might be interfering with Spyware Blaster’s installation and\or subsequent running. The post also recommended using StartDrek for further analysis.

I downloaded and ran RegMon (for 9XMe). When RegMon starts, ongoing computer processes keep rapidly adding to the list of recorded functions, making it very difficult to analyze the screen’s contents, so it’s necessary to click the ‘Stop scrolling’ button. The instructions were to look for the first appearance of Spyware Blaster entries, which would be logged as ‘Successful’, then to check and see whatever else followed immediately after, which would also be logged as ‘Successful’, and might be the culprit. Sure enough, there was a block of 20 or 30 Spyware Blaster entries, then immediately after, a listing which read: ‘rundll32 C:\Windows\Navwvt.mif ,DllGetClassObject’ (this is from memory and isn’t verbatim).

Then I ran StartDrek, having first clicked ‘Config’ and selected Registry\Run Keys, then in System\Drivers having selected Running Processes. All other choices were deselected.

And there it was, C:\Windows\Navwvt.mif was being called from a RunOnce entry in the registry. (One of the first things I’d done was to check all Run-type Registry entries but this beast had evidently hidden itself in some way at the time).

I booted to DOS and deleted C:\Windows\Navwvt.mif, then rebooted and ran the Spyware Blaster install again. To my great pleasure, it installed without a hitch. Spyware Guard was able to update without problems and MicroWorld’s stinger-clone MWav installed, ran and updated without problems. Running MWav revealed C:\Windows\HOJHDFA.old as well as C:\Windows\autoload.exe, reporting that both were very nasty and needed to be deleted, which I did in DOS.

However, I was a little disturbed by the way MWav reacted to it’s discovery of the two files. It was a message to the effect of, ‘You MUST now go and BUY MWav to eradicate these nasties’’ Hmmm. I must say I found myself wondering, as I’ve done before with Kaspersky’s very convenient fixes for esoteric bugs, just how it is that one provider is able to come up with a rapid solution for a problem that nobody else has been able to beat.

Having said that, I then installed Kaspersky 5 Personal trial, which found and eradicated C:\Windows\Windbg.exe, C:\Windows\AAAld, C:\Windows\scvhost.exe (which I’d assumed was innocuous) and ID.exe. However, in my experience, Kaspersky doesn’t seem to run well on 9XMe systems so I uninstalled it after the cleanup and fell back on the free version of AVG7.

(Incidentally, a much-touted app, Adware Away professed to fix the about:blank problem but couldn’t). It’s also fairly aggressive in it’s self-promotion.

So there you have it – one guy’s solutions for two annoying and wide-spread problems. Hope they work for you :--))