Jump to content


Okay...so WTF was that thing?

  • Please log in to reply
3 replies to this topic

#1 takemefishing.ca



  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 09:45 PM

At first I thought I had the CWS about:blank trojan. But it would not repond to the fixes set out here and at other forums. Here's what it would do and the basic chronography...
Day1 ...Receieved a download alert...clicked no..popped up again and agaian till I CTRL-ALT-DEL the thing.
Day2- Pop-ups...subtle at first. Ran Ad Aware and SPybot...cleaned junk out...nothing of real note.
Day 3...New BHO (about:blank) and all hell starts to break loose. Getting pop-up saying I was infected (animation of worms copulating) and to 'Click here for removal software. Then porn, porn and more porn.
Day 4...AdAware and Spybot clean junk out...run HijackThis...find extra dll's and delete. Find and install SpywareBlaster...works once then goes kaput./ Reinstall no better (Error about bad disc sector or virus).
Try to open ever-changing dll files in Notepad...Notepad then goes AWOL.
Purchased Pest Patrol after a search indicates it can clunk this trojan.Cleans it out...safe for about 6 hours then new .dll's with new names. Raining porn again.
Check with Norton...Norton finds Revop c. Wasn't there before...quarantine and delete. Reboot. Damm...about:blank page again. System Restore now done in,too.
Copernic toasted.Easy GIF animator gone.

Day 5-Porn porn porn...Pest Patrol now shows all clear in spite of porn central staition. Pest Patrol now kaput.
HiJackThis now only thing working. Norton can no longer update. Guys at Virtualdr.com can offer nothing more than what I have done. I can clean and stay good for about 6 hours at a time now. I made the call to have my disc reformatted and was going to partition out 15 Gb for surfing and leave my Photoshop and other expensive goodies on 'D' drive so if I needed to I could just pooch the 'c' drive whenever I got crapped on.

Read a post somewhere about a fix in regedit by deleting a reg key in HLM>SoftwareEnvironment>Windows and renaming Windows to Windows2 then deleting the App_InitDlls file then renaming Windows2 back to Windows.
I was desperate. Had no clue what that registry did, but I was about to reformat anyway.
Deleted the registry, rebooted and voila...SpywareBlaster and pestPatrol go to town and clear the junk out. Norton Updates right away (had to replace the notepad.exe file thoguh).
AdAware and Spybot now run and clear out remaining junk.
Now been a week clear. I have so much damm anti-spyware stuff now...lol.
Mozilla Firefox now my browser. IE is cranked down and dormant (which I could delte the damm thing)

I read more on Trojans that week than anyone alive. I still cannot figure out which one it was or if it was a combo job. I know the trojan formed a new .dll that was hooked in the rundll which is how it kept recreating itself. I know that I am fine now and without IE I run perfeclty clear AdAware et al scans daily (always found some junk before when using IE).


#2 terryb



  • Full Member
  • Pip
  • 51 posts

Posted 12 July 2004 - 12:07 PM

You had it rough! (I thought my easy-search prob. was bad.)
It sounds like you got a combination of pests.
For one, a start page downloader trojan--one of the
most annoying. CWS problems morph so often, it's hard to
pinpoint them; that's why they cause so many problems.
There are new variants every day.

Something that helped me that you may want to look into is
the tool in Spybot Search and Destroy under advanced mode/
tools/Host file. It enables you to block specific servers
You can also set your homepage and
the searchURL files with the homepage shield.

#3 dudewheresmyhomepage



  • Full Member
  • Pip
  • 4 posts

Posted 19 July 2004 - 01:30 PM

Hi fishing,

I had the same problem, but I don't think it got as far as yours. The most notable similarity was the rather distinctive pop-up with the green bugs in sexual positions. I do still have some issues (my c: drive is stuck in DOS compatibility mode), but I think I got
to the heart of the matter by following the advice in the following thread. Now, I don't know if you are running win98 or not, but if you are it might help. If you aren't, it might still help you to figure out what to do. Basically what the post tells is how to find a .dll in your system info program that is invisible by browsing that malware scanners most likely won't find. In this specific case (as well as mine) it was one that turns out to be exactly 57,344 bytes in size. It has you rename the file extension in DOS and somehow this makes the malware scanners (namely Ad-Aware in this post) able to find the file, recognize it as malware and then fix it. In this case that is the file that is responsible for regenerating the problem(s?) even after you have cleaned with HijackThis, Ad-Aware, etc.

I hope it helps you:


#4 dudewheresmyhomepage



  • Full Member
  • Pip
  • 4 posts

Posted 19 July 2004 - 01:48 PM

Oh, I forgot

I started to make progress in figuring this out when I looked up "about:blank" in the "virus info" page at www.pandasoftware.com. For me the "StartPage.FH" trojan description was closest to what I was experiencing. At least then I knew what to search for and what to call it. They had pictures of the home page and several of the popups I was getting. I figure they didn't show the green bugs because it's offensive. It didn't directly lead to my solving the problem but it did help (by searching for this specific type of trojan in the forums I found bobO's post), and as they used to say on GI-JOE, "knowing is half the battle"--the article has good info.


Member of UNITE
Support SpywareInfo Forum - click the button