Jump to content


Photo

FINDnFIX for Windows 98?


  • This topic is locked This topic is locked
3 replies to this topic

#1 smiley

smiley

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 11 July 2004 - 02:38 PM

Hi,

I thought I fixed the problem yesterday with thenewsearch crap, but now my Windows 98 computer is hijacked by about:blank. I am not sure if it was there all along as I didn't connect to the internet in the meantime (i have dial-up).

I've read a few thread about the hijacker returning and using the safemode and HijackThis/About:Buster soln, and I have confirmed this for myself.

I was ready to launch into using FINDnFIX but I noticed that it only works for XP and Windows 2000. Is there a solution for Windows 98 users?

Here is my HijackThis log in the meantime. Thank you so so much!

Logfile of HijackThis v1.98.0
Scan saved at 1:18:56 PM, on 11/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRAM FILES\ACD SYSTEMS\DEVDETECT\DEVDETECT.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E6698026-D339-11D8-A398-0050072FCE96} - C:\WINDOWS\SYSTEM\EKILC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O18 - Filter: text/html - {E6698025-D339-11D8-A398-0050F7FD50E1} - C:\WINDOWS\SYSTEM\EKILC.DLL
O18 - Filter: text/plain - {E6698025-D339-11D8-A398-0050F7FD50E1} - C:\WINDOWS\SYSTEM\EKILC.DLL

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 11 July 2004 - 03:30 PM

There isn't one for Win 98 - try this instead. Download StartDreck from here. Unzip to its own folder and start the program:

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes

Press 'Ok'. Press 'Save' and select the location to save the log file (default is the same folder as the application). Post the log in this thread.
Posted Image

#3 smiley

smiley

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 11 July 2004 - 04:09 PM

Hi,

I think I found the solution to my problem. After posting this msg I went through the About:Buster thread and got the updated AdAware.

Then I followed one of the suggested instructions:
1) boot into safe mode
2) run latest AdAware build181 with the latest ref list. It picked up 22 'bad' objects.
3) ran HijackThis - only 2 R0/R1 left
4) ran About:Buster twice - log file clean.

I've rebooted a couple of times and so far so good. I'll try that StarDreck if my problem comes back. Hopefully not!

Thanks for your help!

S.

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 04:54 AM

Glad we could help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button