Jump to content


Sick of 'about.blank' Start Page convert

  • Please log in to reply
1 reply to this topic

#1 yanush



  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 09:55 PM

hello - I've spent weeks trying to clear my system of a nasty bug/trojan horse
that is still here. I have used and continue to use "CWShredder" and
"Hijack This" solutions but problem always returns. I'd really appreciate you
reading the following and sending me your best idea to put the
bug/s out of its/their misery. I have read SWI's FAQ and I ran Adaware and Spybot with no change to problem :huh:

Currently running Windows XP and using I'net Explorer browser with Netscape
start page. (I know using I'net Explorer is part of the problem...Netscape's better.)

Problem description: Whenever I log onto the internet and begin surfing - just
about any sites - my start page ( shown via Inet Explorer - Properties) has
changed to "about-blank" and this gives me a CWS search start page I don't

I run CWShredder 1.57.0 and always get result of "CWS.Searchx" marked

I did the recommended download of Windows XP Support Pkg (SP-1), but
no change to always getting a hit on "CWS.Searchx." What's up with that?

More.. Next, I run a Hijack This scan. The bug always creates 7 or 8 unwanted
R0 and R1 (HKLM and HKCU) lines. Also creates phony 02 - BHO entries -
the longer I wait to delete them with Hijack, the more lines are added. These
BHO entries always end in a newly generated ".dll" for every new Internet
surf session. And each time there's a "017 - HKLM\System\CCS\Services\
Tcpip\....Name Server = " entry that I delete
and it returns anyway.

I do check my System Configuration Utility every time for unwanted Startup
entries and deactivate anything I don't recognize. One of those turned up as

This thing is very persistent. Can you step me thru a way to get rid of it?
Thanks, Yanush
(I also have Norton/Symantec AntiVi installed and run it regularly with
latest updates. Latest scan saiz my WINDOWS/httpfilter.dll is
infected. Quarentine didn't work.)

endo endo

HijackThis log follows:
Logfile of HijackThis v1.97.7
Scan saved at 7:25:54 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\DOCUME~1\FREDER~1\MYDOCU~1\My Music\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FREDER~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FREDER~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FREDER~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FREDER~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FREDER~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FREDER~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Frederick\Application Data\Mozilla\Profiles\default\4s3gs9na.slt\prefs.js)
O2 - BHO: (no name) - {AF747EEC-7EE1-4EA2-85B6-DA3DDAEEA94B} - C:\WINDOWS\System32\pgbn.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\DOCUME~1\FREDER~1\MYDOCU~1\My Music\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A56BA564-CE16-4466-BEC0-73785AC1BEA1}: NameServer =

#2 freeatlast


    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 15 July 2004 - 11:45 PM

To answer some of your questions:

Don't expect much from Norton, aka Symantec.
Restart in safe mode,

WINDOWS/httpfilter.dll < Find and delete

"wuamgrd.exe"< Find and delete the file!

017 - HKLM\System\CCS\Services\
Tcpip\....Name Server =
Why would you delete your ISP name servers? :scratchhead:
IP Address:
Host Name: rns3.earthlink.net

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
Posted ImagePosted ImagePosted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button