Jump to content


Photo

CW Searchx About:blank


  • Please log in to reply
15 replies to this topic

#1 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2004 - 02:16 AM

I am having the same problems as many others being hijacked
by about blank. It keeps coming back after the fixes: Shredder, Spy-bot,
fixes on HJT. When I ran CWS Shredder earlier it found "Searchx".
When I type an incorrect/invalid address it reverts to a the hijacker
site with the address: http://s1di.d8t.biz/...x.php?aid=20038

I have Windows 98. I have read Archon Wing's solution to Magoo
...but is there a solution for Windows 98? Thank you.

HJT Log:
Logfile of HijackThis v1.97.7
Scan saved at 1:12:35 AM, on 06/25/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\MONEY\SYSTEM\REMINDER.EXE
C:\GREETING\GWREMIND.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTH.EXE
C:\MSOFFICE\OFFICE\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Downloads\VIRUS SCANS\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATTBroadbandClient] C:\Program Files\AT&T\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Money\System\reminder.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O4 - Startup: Upgrade Metro eGuide.lnk = C:\Crye-Leike_Relocation_Services_Chattanooga\WiseUpdt.exe
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7868.4060300926
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab

#2 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 25 June 2004 - 02:36 AM

I had the same problem on Win 98. Please take a look at my solution here.

It might work for you. Hope so.

BobO

#3 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2004 - 07:38 PM

Thank you very much. I will give it a try.

#4 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2004 - 10:12 PM

I do not know how to locate "Sytems Hooks". However I ran C:\windows\System
dir ct*.* in dos but did not find "ctlj.dll". I continue run ad-aware, shredder etc.
ad-aware found "c:\windows\temp\sp.html" if that means anything. In reading
this site there are so many variations of this thing and so many different
solutions...I do not know what to try. Any help would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 11:08:09 PM, on 06/25/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\MONEY\SYSTEM\REMINDER.EXE
C:\GREETING\GWREMIND.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DOWNLOADS\HIJACKTH.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Downloads\VIRUS SCANS\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATTBroadbandClient] C:\Program Files\AT&T\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Money\System\reminder.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O4 - Startup: Upgrade Metro eGuide.lnk = C:\Crye-Leike_Relocation_Services_Chattanooga\WiseUpdt.exe
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7868.4060300926
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab

#5 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 25 June 2004 - 10:45 PM

You locate System Hooks by running the program Microsoft System Information. There's a shortcut to it on your Start Menu under System Tools, or simply click Start>Run and in the command line type msinfo32 and hit enter.

Once Sysinfo is running, you'll see a category called Software Environment, and under that is the System Hooks section. Even if it shows that a CWS dll is running, it's probably not named ctlj.dll -- those dll names are generated randomly. But if you *do* see some kind of strange-looking .dll there, with no explanation of what it does, follow the rest of my steps until you get to the part where you scan it with Adaware. If it fails the test there, you can get rid of it, and hopefully your problems will go with it.

Best of luck.

#6 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 June 2004 - 11:12 PM

Thanks again...I will give it shot.

#7 Tanya265709

Tanya265709

    Member

  • New Member
  • Pip
  • 1 posts

Posted 25 June 2004 - 11:19 PM

Hi, I am also having the problem with the about: blank. I am running XP home on my system. I also get two popups, one saying your IP address is (then a number), someone has planted a spybot in your PC and the other one says Your computer has been exposed to a parasite known as spyware. I have run adaware and spybot, still cannot get rid of it. I need help. Thanks alot.

#8 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 11:25 PM

Bobc If you find any .dll that you want analyzed, feel free to send a zipped copy to TBoY14 at msn.com at = @.

Currently working on a fix thats why im asking.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#9 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 June 2004 - 12:22 AM

BobO. You are a genius. Did exactly as you said. Mine was named "wineoh.dll", the
same size as yours (57,344). Ran Ad-aware and it picked up both
the copy and the renamed. Deleted them both. Everything is working
fine. Thank You :D
~
Thank you also rubber ducky for working on a fix. As noted I deleted
the bad .dll.

Edited by Bobc, 26 June 2004 - 12:23 AM.


#10 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 26 June 2004 - 06:21 AM

Rubber Ducky, I still have the bad dll. Will email it as requested, renamed and zipped - originally named ctlj.dll.

BobO

#11 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 26 June 2004 - 06:29 AM

Bobc, you're very very welcome! 2 down, a million to go... :D

#12 tybaby33

tybaby33

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 June 2004 - 08:03 PM

I have been having the same problem with Windows XP Pro. I cannot seem to shake this thing. There is no System Hook area in the Software environment. I tried parts of the fix for Windows 98 but it does not see the virus once I change the name of the ctlj file. Please help.

#13 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 08:07 PM

Please post a new topic. To do so go to the main page. Hit New Topic. Enter a title. Then your problem with a Hijack This log. Then hit post. Someone will help you soon.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#14 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 30 June 2004 - 08:50 PM

RubbeR DuckY

I have a about:blank .dll that infected my Windows ME machine (originally named com.dll) Do you want me to forward it to you also?

The Fist

#15 TheGoose

TheGoose

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 July 2004 - 03:57 PM

For your interest:
I use XP Pro. Found comh.dll (57.344 bytes) in c:\windows\system32
(Nb. it didn't show up in msinfo32, under software environment -> loaded modules ??. but nevertheless)
Used the instructions provided by BobO. (rename, scan with adware and findnfix etc) Worked fine!! :D

#16 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 05 July 2004 - 04:09 PM

Yes please zip up and send the file to Here

This would be greatly appreciated. :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button