Jump to content


Photo

HJT resets homepage to about.blank


  • Please log in to reply
1 reply to this topic

#1 circutyrgirl

circutyrgirl

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 July 2004 - 01:05 PM

ok.....I really did read the faq...then I read a thread that said to bump your topic if it hadn't been answered. The I read another one that said don't do that! So I'm going to start over and just wait for 48hrs and hope that works. At the top is my very latest log file. As you can see I'm doing pretty good after 4 days of manual registry hacking and then running all the suggested removal-ware. I still have the question about the mime filter .dll. You will also notice that I removed the Pestpatrol scanner. In case you were not aware of these people I think it really bears pinning so I will post a seperate topic about them. Then I am pasting in my other posts so you can see the progression of what I did and how it worked. So far I have not had any more problems but from what I read of other people it may take a couple days to show up again. I do have my PC innoculated with Ad-Aware. My concern is still that MS xml-mimefilter .dll. It's been in my PC for 3 years and does not show itself as being modified since then but it still seems weird that it is all of a sudden being picked up by HJT. Hopefully someone can explain it to me.
I also continue to have Spybot and Adaware showing false positives for registry keys that do not exist as well as dialer programs that I know are not on my PC. It would be nice to know if these are just glitches in their programs or the after effects of the malware itself.

Logfile of HijackThis v1.98.0
Scan saved at 11:54:25, on 7/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\CICLOADR.EXE
C:\PROGRAM FILES\CYBERPOWER\POWERPANEL\POWPANEL.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CDApplet] CoolTool.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe
O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i
O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKLM\..\RunServicesOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"
O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEMNNNNNNNN.DLL


Jun 30 2004, 04:59 PM
Before I waste your time on my long,pathetic about.blank story please address this issue.
I tied installing Highjack This from a floppy. The download was done on a clean machine. But my infected machine blocked the install.

So I ran all my other spyware,spybot,cwshredder etc on my infexted machine,went online and downloaded HThis and then shut down the machine. I rebooted in Safe mode and opened and ran the Hijack scan....it identifyed a couple suspect entries and files. But then when I went to the configure page it told me if I fixed anything it would automatically reset my homepage to "about.blank"!?!?!?

Here is my scan results:

Logfile of HijackThis v1.97.7
Scan saved at 15:45:17, on 6/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\SPYWARE\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CDApplet] CoolTool.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe
O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i
O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab

END OF LOG

I also have some suspect applog files that were created at the time of infection showing HTA and mshtml.dll and mshta.dll changes. I will include these only if you ask for them.

Thanks

circutrygirl

EDITING POST/NEW LOG FILE

ok....obviously I changed the about.blank to the homepage I wanted before going on with your program. But I did think it was something you should be aware of. Yes..I read the FAQ....yes I ran Ad-Aware,CWShredder and Spybot....with all the most current updates. I rebooted in normal mode,ran all the software again...including Windowwasher and emptying all temp files. Then I ran HJT again...had it fix a couple things...and now I have a new .dll I have never seen before! And I can't kill it!!! HJT will not remove it and none of the other software even sees it. Here is that log:

Logfile of HijackThis v1.98.0
Scan saved at 21:46:53, on 6/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\CICLOADR.EXE
C:\PROGRAM FILES\CYBERPOWER\POWERPANEL\POWPANEL.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWARE\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VoodooBanshee] rundll32.exe 3dfxVBps.dll,BansheeLoadSettings
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CDApplet] CoolTool.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CIC Pen Extensions] C:\WINDOWS\SYSTEM\cicloadr.exe
O4 - HKLM\..\Run: [CIC Macro Editor] C:\WINDOWS\SYSTEM\macroed.exe -i
O4 - HKLM\..\Run: [Editing Palette] C:\WINDOWS\SYSTEM\tbtray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKLM\..\RunServicesOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\lwemon.exe /noui"
O4 - HKCU\..\RunOnce: [washieindex] C:\Program Files\Washer-IE\washidx.exe
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Startup: Runner.LNK = C:\Program Files\Kine\Runner.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: pagoo.lnk = C:\Pagoo\Pagoo.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\CyberPower\PowerPanel\PowPanel.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEMNNNNNNNN.DLL

I will wait to get an answer from you before I do anything else. However.....so far my home page is staying where I set it but I am getting weird cookies even though I am not going anywhere but here and Google.

Thanks

cgirl

This post has been edited by circutyrgirl on Jun 30 2004, 10:50 PM


Jul 1 2004, 11:55 AM
yes....I read the faq. I realize that if I keep whining about not getting answered or keep posting before you answer me i might offend you and then I'll have to take my business elsewhere. :) I am really just suprised that noone seems interested in the fact that the HJT program seems vulnerable to the new strain of CWS/about.blank. I was infected on June 26th so I have a very new and nastry strain. It was the bundled type that installed several dialers and dozens of hijacks. I was able to manually remove everything but the about.blank/smart search. I have a feeling that if I hadn't already removed almost all of it manually it would have done more damage to the HJT program than it did. I know that the Spybot and the Ad-Aware program are both missing things they should be seeing and displaying false positives even now....

Also.....if it helps....the C\WINDOWS\SYSTEMNNNNNNN.dll is a rename of Microsofts Mimefilter .dll. There are actually two of them....HJT is not detecting the other but it's name is C\WINDOWS\SYSTEMlllllll.dll Here is the Knowlege Base Article number for it Q260840
http://support.micro...b;EN-US;q260840

HJT keeps detecting it but cannot remove it which may or may not be a good thing. Hopefully someone will tell me
I am free because I know that I alone am morally responsible for everything I do.
Robert A. Heinlein
There is hopeful symbolism in the fact that flags do not wave in a vacuum.
Arthur C. Clarke

#2 Mrfullsrvc

Mrfullsrvc

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 02:45 PM

I don't know what to tell you about HJT, but maybe some of this info will help get rid of the about:blank situation.

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

To see information about it, go to:

http://vic.zonelabs....s.jsp?VId=39113
http://www3.ca.com/s...s.aspx?id=39113
http://uk.trendmicro...me=TROJ_AGENT.A

For information on the Reg Start page, go to:

http://www3.ca.com/s...s.aspx?ID=28683

Trend micros removal too for this particular mofo is at:

https://beta.activeu...gentv1.0007.zip

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:


@echo off
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
delay 10
rem In case system clean didn't run, delete the file manually
del /q /f %1

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

I hope this will help everyone who went thru the nightmare I've gone thru too!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button