• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
circutyrgirl

Bug in "HijakThis"!

4 posts in this topic

Before I waste your time on my long,pathetic about.blank story please address this issue.

I tied installing Highjack This from a floppy. The download was done on a clean machine. But my infected machine blocked the install.

 

So I ran all my other spyware,spybot,cwshredder etc on my infexted machine,went online and downloaded HThis and then shut down the machine. I rebooted in Safe mode and opened and ran the Hijack scan....it identifyed a couple suspect entries and files. But then when I went to the configure page it told me if I fixed anything it would automatically reset my homepage to "about.blank"!?!?!?

 

Here is my scan results:

 

Logfile of HijackThis v1.97.7

Scan saved at 15:45:17, on 6/30/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\SPYWARE\HIJACKTHIS.EXE

 

R3 - Default URLSearchHook is missing

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe

O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe

O4 - HKLM\..\Run: [CDApplet] CoolTool.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe

O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i

O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKCU\..\Run: [start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe

O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe

O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe

O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE

O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe

O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe

O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE

O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE

O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE

O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe

O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm

O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm

O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm

O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm

O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm

O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

 

END OF LOG

 

I also have some suspect log files that were created at the time of infection showing HTA and mshtml.dll and mshta.dll changes. I will include these only if you ask for them.

 

Thanks

 

circutrygirl

 

EDITING POST/NEW LOG FILE

 

ok....obviously I changed the about.blank to the homepage I wanted before going on with your program. But I did think it was something you should be aware of. Yes..I read the FAQ....yes I ran Ad-Aware,CWShredder and Spybot....with all the most current updates. I rebooted in normal mode,ran all the software again...including Windowwasher and emptying all temp files. Then I ran HJT again...had it fix a couple things...and now I have a new .dll I have never seen before! And I can't kill it!!! HJT will not remove it and none of the other software even sees it. Here is that log:

 

Logfile of HijackThis v1.98.0

Scan saved at 21:46:53, on 6/30/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\SYSTEM\CICLOADR.EXE

C:\PROGRAM FILES\CYBERPOWER\POWERPANEL\POWPANEL.EXE

C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\HJT\HIJACKTHIS.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

 

R3 - Default URLSearchHook is missing

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe

O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe

O4 - HKLM\..\Run: [CDApplet] CoolTool.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe

O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i

O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe

O4 - HKLM\..\RunServicesOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe

O4 - HKCU\..\Run: [start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"

O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe

O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe

O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE

O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe

O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe

O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE

O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE

O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE

O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEMNNNNNNNN.DLL

 

I will wait to get an answer from you before I do anything else. However.....so far my home page is staying where I set it but I am getting weird cookies even though I am not going anywhere but here and Google.

 

Thanks

 

cgirl

Edited by circutyrgirl

Share this post


Link to post
Share on other sites

yes....I read the faq. I realize that if I keep whining about not getting answered or keep posting before you answer me i might offend you and then I'll have to take my business elsewhere. :) I am really just suprised that noone seems interested in the fact that the HJT program seems vulnerable to the new strain of CWS/about.blank. I was infected on June 26th so I have a very new and nastry strain. It was the bundled type that installed several dialers and dozens of hijacks. I was able to manually remove everything but the about.blank/smart search. I have a feeling that if I hadn't already removed almost all of it manually it would have done more damage to the HJT program than it did. I know that the Spybot and the Ad-Aware program are both missing things they should be seeing and displaying false positives even now....

 

Also.....if it helps....the C\WINDOWS\SYSTEMNNNNNNN.dll is a rename of Microsofts Mimefilter .dll. There are actually two of them....HJT is not detecting the other but it's name is C\WINDOWS\SYSTEMlllllll.dll Here is the Knowlege Base Article number for it Q260840

http://support.microsoft.com/default.aspx?...b;EN-US;q260840

 

HJT keeps detecting it but cannot remove it which may or may not be a good thing. Hopefully someone will tell me :)

Share this post


Link to post
Share on other sites

well since no one else seems interested in this topic I will answer my own question and hopefully it will help anyone else out there who is confused. (I realise it is my own ego to assume I'm not the only one) :)

 

If I'm wrong I trust that one of the helpers will jump in and correct me.

 

I think "about.blank" appears in the HJT config section because the actual "about.blank" page is a normal function of IE. It simply is supposed to take you to a blank HTML page. What all these viruses do is redirect your blank homepage to somewhere else...smart search,cool search,etc,etc. So the fact that "about.blank" appears in the config menu of HJT is normal. Your just supposed to change it to whatever you want your homepage to be.

 

Once again please note....I am NOT a qualified helper so I am NOT telling anyone to ignore fixing anything that HJT or any other program tells you to fix if it sees "about.blank" in your registry or else where. I'm only talking about the config menu of the HJT program itself.

 

Of course if a helper does decide to respond to my problem I would sure still like to know what if anything I should do with that SYSTEMNNNNNNN.dll file. My log is the same as the last time I posted.

Edited by circutyrgirl

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0