• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Bobc

CW Searchx About:blank

16 posts in this topic

I am having the same problems as many others being hijacked

by about blank. It keeps coming back after the fixes: Shredder, Spy-bot,

fixes on HJT. When I ran CWS Shredder earlier it found "Searchx".

When I type an incorrect/invalid address it reverts to a the hijacker

site with the address: http://s1di.d8t.biz/index.php?aid=20038

 

I have Windows 98. I have read Archon Wing's solution to Magoo

...but is there a solution for Windows 98? Thank you.

 

HJT Log:

Logfile of HijackThis v1.97.7

Scan saved at 1:12:35 AM, on 06/25/2004

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\STARTER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\HPZTSB04.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\RunDLL.exe

C:\MONEY\SYSTEM\REMINDER.EXE

C:\GREETING\GWREMIND.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\MSOFFICE\OFFICE\OSA.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\DOWNLOADS\HIJACKTH.EXE

C:\MSOFFICE\OFFICE\WINWORD.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/comcast.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Downloads\VIRUS SCANS\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [ATTBroadbandClient] C:\Program Files\AT&T\BBClient\Programs\RegCon.exe /admincheck

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [Reminder] C:\Money\System\reminder.exe

O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE

O4 - Startup: Upgrade Metro eGuide.lnk = C:\Crye-Leike_Relocation_Services_Chattanooga\WiseUpdt.exe

O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O13 - WWW. Prefix: http://

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7868.4060300926

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

Share this post


Link to post
Share on other sites

I do not know how to locate "Sytems Hooks". However I ran C:\windows\System

dir ct*.* in dos but did not find "ctlj.dll". I continue run ad-aware, shredder etc.

ad-aware found "c:\windows\temp\sp.html" if that means anything. In reading

this site there are so many variations of this thing and so many different

solutions...I do not know what to try. Any help would be greatly appreciated.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:08:09 PM, on 06/25/2004

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\STARTER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\HPZTSB04.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\RunDLL.exe

C:\MONEY\SYSTEM\REMINDER.EXE

C:\GREETING\GWREMIND.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\MSOFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\HPZSTATX.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\DOWNLOADS\HIJACKTH.EXE

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Downloads\VIRUS SCANS\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [ATTBroadbandClient] C:\Program Files\AT&T\BBClient\Programs\RegCon.exe /admincheck

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [Reminder] C:\Money\System\reminder.exe

O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE

O4 - Startup: Upgrade Metro eGuide.lnk = C:\Crye-Leike_Relocation_Services_Chattanooga\WiseUpdt.exe

O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O13 - WWW. Prefix: http://

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7868.4060300926

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

Share this post


Link to post
Share on other sites

You locate System Hooks by running the program Microsoft System Information. There's a shortcut to it on your Start Menu under System Tools, or simply click Start>Run and in the command line type msinfo32 and hit enter.

 

Once Sysinfo is running, you'll see a category called Software Environment, and under that is the System Hooks section. Even if it shows that a CWS dll is running, it's probably not named ctlj.dll -- those dll names are generated randomly. But if you *do* see some kind of strange-looking .dll there, with no explanation of what it does, follow the rest of my steps until you get to the part where you scan it with Adaware. If it fails the test there, you can get rid of it, and hopefully your problems will go with it.

 

Best of luck.

Share this post


Link to post
Share on other sites

Hi, I am also having the problem with the about: blank. I am running XP home on my system. I also get two popups, one saying your IP address is (then a number), someone has planted a spybot in your PC and the other one says Your computer has been exposed to a parasite known as spyware. I have run adaware and spybot, still cannot get rid of it. I need help. Thanks alot.

Share this post


Link to post
Share on other sites

Bobc If you find any .dll that you want analyzed, feel free to send a zipped copy to TBoY14 at msn.com at = @.

 

Currently working on a fix thats why im asking.

Share this post


Link to post
Share on other sites

BobO. You are a genius. Did exactly as you said. Mine was named "wineoh.dll", the

same size as yours (57,344). Ran Ad-aware and it picked up both

the copy and the renamed. Deleted them both. Everything is working

fine. Thank You :D

~

Thank you also rubber ducky for working on a fix. As noted I deleted

the bad .dll.

Edited by Bobc

Share this post


Link to post
Share on other sites

Rubber Ducky, I still have the bad dll. Will email it as requested, renamed and zipped - originally named ctlj.dll.

 

BobO

Share this post


Link to post
Share on other sites

I have been having the same problem with Windows XP Pro. I cannot seem to shake this thing. There is no System Hook area in the Software environment. I tried parts of the fix for Windows 98 but it does not see the virus once I change the name of the ctlj file. Please help.

Share this post


Link to post
Share on other sites

Please post a new topic. To do so go to the main page. Hit New Topic. Enter a title. Then your problem with a Hijack This log. Then hit post. Someone will help you soon.

Share this post


Link to post
Share on other sites

RubbeR DuckY

 

I have a about:blank .dll that infected my Windows ME machine (originally named com.dll) Do you want me to forward it to you also?

 

The Fist

Share this post


Link to post
Share on other sites

For your interest:

I use XP Pro. Found comh.dll (57.344 bytes) in c:\windows\system32

(Nb. it didn't show up in msinfo32, under software environment -> loaded modules ??. but nevertheless)

Used the instructions provided by BobO. (rename, scan with adware and findnfix etc) Worked fine!! :D

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0