Jump to content


Photo

Bug in "HijakThis"!


  • Please log in to reply
3 replies to this topic

#1 circutyrgirl

circutyrgirl

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 04:59 PM

Before I waste your time on my long,pathetic about.blank story please address this issue.
I tied installing Highjack This from a floppy. The download was done on a clean machine. But my infected machine blocked the install.

So I ran all my other spyware,spybot,cwshredder etc on my infexted machine,went online and downloaded HThis and then shut down the machine. I rebooted in Safe mode and opened and ran the Hijack scan....it identifyed a couple suspect entries and files. But then when I went to the configure page it told me if I fixed anything it would automatically reset my homepage to "about.blank"!?!?!?

Here is my scan results:

Logfile of HijackThis v1.97.7
Scan saved at 15:45:17, on 6/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\SPYWARE\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CDApplet] CoolTool.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe
O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i
O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab

END OF LOG

I also have some suspect log files that were created at the time of infection showing HTA and mshtml.dll and mshta.dll changes. I will include these only if you ask for them.

Thanks

circutrygirl

EDITING POST/NEW LOG FILE

ok....obviously I changed the about.blank to the homepage I wanted before going on with your program. But I did think it was something you should be aware of. Yes..I read the FAQ....yes I ran Ad-Aware,CWShredder and Spybot....with all the most current updates. I rebooted in normal mode,ran all the software again...including Windowwasher and emptying all temp files. Then I ran HJT again...had it fix a couple things...and now I have a new .dll I have never seen before! And I can't kill it!!! HJT will not remove it and none of the other software even sees it. Here is that log:

Logfile of HijackThis v1.98.0
Scan saved at 21:46:53, on 6/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\CICLOADR.EXE
C:\PROGRAM FILES\CYBERPOWER\POWERPANEL\POWPANEL.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CDApplet] CoolTool.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe
O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i
O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKLM\..\RunServicesOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"
O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEMNNNNNNNN.DLL

I will wait to get an answer from you before I do anything else. However.....so far my home page is staying where I set it but I am getting weird cookies even though I am not going anywhere but here and Google.

Thanks

cgirl

Edited by circutyrgirl, 30 June 2004 - 10:50 PM.

I am free because I know that I alone am morally responsible for everything I do.
Robert A. Heinlein
There is hopeful symbolism in the fact that flags do not wave in a vacuum.
Arthur C. Clarke

#2 circutyrgirl

circutyrgirl

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 July 2004 - 11:23 AM

Bump :)
I am free because I know that I alone am morally responsible for everything I do.
Robert A. Heinlein
There is hopeful symbolism in the fact that flags do not wave in a vacuum.
Arthur C. Clarke

#3 circutyrgirl

circutyrgirl

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 July 2004 - 11:55 AM

yes....I read the faq. I realize that if I keep whining about not getting answered or keep posting before you answer me i might offend you and then I'll have to take my business elsewhere. :) I am really just suprised that noone seems interested in the fact that the HJT program seems vulnerable to the new strain of CWS/about.blank. I was infected on June 26th so I have a very new and nastry strain. It was the bundled type that installed several dialers and dozens of hijacks. I was able to manually remove everything but the about.blank/smart search. I have a feeling that if I hadn't already removed almost all of it manually it would have done more damage to the HJT program than it did. I know that the Spybot and the Ad-Aware program are both missing things they should be seeing and displaying false positives even now....

Also.....if it helps....the C\WINDOWS\SYSTEMNNNNNNN.dll is a rename of Microsofts Mimefilter .dll. There are actually two of them....HJT is not detecting the other but it's name is C\WINDOWS\SYSTEMlllllll.dll Here is the Knowlege Base Article number for it Q260840
http://support.micro...b;EN-US;q260840

HJT keeps detecting it but cannot remove it which may or may not be a good thing. Hopefully someone will tell me :)
I am free because I know that I alone am morally responsible for everything I do.
Robert A. Heinlein
There is hopeful symbolism in the fact that flags do not wave in a vacuum.
Arthur C. Clarke

#4 circutyrgirl

circutyrgirl

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 07 July 2004 - 08:45 AM

well since no one else seems interested in this topic I will answer my own question and hopefully it will help anyone else out there who is confused. (I realise it is my own ego to assume I'm not the only one) :)

If I'm wrong I trust that one of the helpers will jump in and correct me.

I think "about.blank" appears in the HJT config section because the actual "about.blank" page is a normal function of IE. It simply is supposed to take you to a blank HTML page. What all these viruses do is redirect your blank homepage to somewhere else...smart search,cool search,etc,etc. So the fact that "about.blank" appears in the config menu of HJT is normal. Your just supposed to change it to whatever you want your homepage to be.

Once again please note....I am NOT a qualified helper so I am NOT telling anyone to ignore fixing anything that HJT or any other program tells you to fix if it sees "about.blank" in your registry or else where. I'm only talking about the config menu of the HJT program itself.

Of course if a helper does decide to respond to my problem I would sure still like to know what if anything I should do with that SYSTEMNNNNNNN.dll file. My log is the same as the last time I posted.

Edited by circutyrgirl, 07 July 2004 - 08:54 AM.

I am free because I know that I alone am morally responsible for everything I do.
Robert A. Heinlein
There is hopeful symbolism in the fact that flags do not wave in a vacuum.
Arthur C. Clarke




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button