Jump to content


Photo

How Can I Get Rid Of About:blank Hijack


  • Please log in to reply
11 replies to this topic

#1 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 12 July 2004 - 11:38 AM

Please help. Have long been at the frustration point.
My machine has been hijacked by the "about:blank" malicious code.
I have had it on my machine for many days now.
I have used several combinations of Sbybot Search & destroy, AdAware, hijack this,CWS shredder, registry edits, and even run these in safe mode but the thing keeps coming back. Clearly I am missing the key file or files

My home page keeps getting changed to "about:blank" which is an unidentified page with a menu of various categories such as gambling, virus removal , shopping sites etc. and with occassional popups about spyware

My machine runs on WIn 98 and amusing IE 5.0
I am running NAV 2002 with up to date virus defs

Here is my latest hijack this log

Logfile of HijackThis v1.98.0
Scan saved at 9:40:44 AM, on 7/12/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=hpfsched
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {1EDCEFA3-D380-11D8-B926-CCBD1CDB5E68} - C:\WINDOWS\SYSTEM\OFC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.win...en/wucorpct.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Filter: text/html - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL
O18 - Filter: text/plain - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

help to fix this is greatly appreciated

Thank you,

#2 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 13 July 2004 - 10:42 PM

Have not heard from anyone yet in 1.5 days
Maybe my plea has been missed?

Hopefully by tomorrow am there will some help available?

Please.

Edited by poorboy23, 14 July 2004 - 01:01 AM.


#3 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 14 July 2004 - 01:03 AM

Download and install:

"FINDnFIX.exe" from http://freeatlast100...om/FINDnFIX.exe

Run the "!LOG!.bat" file, wait for the final output (log.txt) then post the results here in this same thread along with a fresh HijackThis log.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#4 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 July 2004 - 01:02 PM

Downloaded "FINDnFIX.exe"
Ran the exe file and got the message
"Free Extractor error
An error prevents this program from continuing. Could not read SFX info. It's likely corrupt."

I then went to http://freeatlast100.100free.com/
After findnfix.exe its says" (2KXP only!)"

I am running Win 98 so maybe that is why the program will not run?


Questions about your suggestions (please read them not as a challenge but from a more naive point of view
(I really want to know more)
Things you need:
1. I am already running Norton anti virus w/ up to date virus defs. Why do I need another program? Are you saying that NAV is no good?

2. Since this code appeared I have already decided to get a fire wall thanks for the recommendations
3. Do you think I need all 3 of IE Spyads SpywareBlaster Spyware Guard or just 1?
4. Just got a free win security update from MS and can run after the hijack code is removed permanently


Things I want:
1 I have Mozilla installed on my machine but have been unhappy with it in general since it runs much slower on my machine than IE. I love the idea of not using MS stuff but...

Actually I just figured out that I have the Mozilla suite and not firefox browser so maybe I shoud check out just the Firefox browser.
2. Pop up killers have been recommended. Why the google toolbar as opposed to any other?

3. Already have AdAware and Spybot installed and up to date.

4. Will look into MS MVP Hosts file

Here's the fresh HiajckThis log

Logfile of HijackThis v1.98.0
Scan saved at 11:04:21 AM, on 7/14/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=hpfsched
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {1EDCEFA3-D380-11D8-B926-CCBD1CDB5E68} - C:\WINDOWS\SYSTEM\OFC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.win...en/wucorpct.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Filter: text/html - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL
O18 - Filter: text/plain - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

Petrocqr

Edited by poorboy23, 14 July 2004 - 03:58 PM.


#5 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 14 July 2004 - 06:45 PM

Responses are 'in-line' with your questions.

Downloaded "FINDnFIX.exe"
Ran the exe file and got the message
"Free Extractor error
An error prevents this program from continuing. Could not read SFX info. It's likely corrupt."

I then went to http://freeatlast100.100free.com/
After findnfix.exe its says" (2KXP only!)"

I am running Win 98 so maybe that is why the program will not run?
of course that's why , my fault entirely..I never meant to give you the link for FnF..I thought I'd grabbed the link for 'Win98fix', must have just been refles to paste FnF; Sorry

Questions about your suggestions (please read them not as a challenge but from a more naive point of view
(I really want to know more)
Things you need:
1. I am already running Norton anti virus w/ up to date virus defs. Good Why do I need another program? You don't Are you saying that NAV is no good? NAV is far from one of my Favorites by  ant means; but by and large it does a acceptable job of Virus Protection.

2. Since this code appeared I have already decided to get a fire wall thanks for the recommendations Kerio 2.1.5 is a Excellent one, although it is a little more 'hands on' as opposed to  Zone Alarm
3. Do you think I need all 3 of IE Spyads SpywareBlaster Spyware Guard or just 1? without a doubt all 3 (ESPECIALLY with IE5)
4. Just got a free win security update from MS and can run after the hijack code is removed permanently.  Windows Updates is ALWAYS free; but are you by any chance talking about IE6??  If not I would encourage you to get it; even if you use Mozilla/Firefox as your main browser.

Things I want:
1 I have Mozilla installed on my machine but have been unhappy with it in general since it runs much slower on my machine than IE. I love the idea of not using MS stuff but...

Actually I  just figured out that I have the Mozilla suite and not firefox browser so maybe I shoud check out just the Firefox browser. Sure why not; keep in mind Firefox is just the browser while Mozilla suite is just that a 'suite' or the 'whole package' Email client etc,etc
2. Pop up killers have been recommended. Why the google toolbar as opposed to any other? Uses up virtutally no system resources and is one of the most configureable Stoppers yet; plus a one click Google search.[/i]

3.  Already have AdAware and Spybot installed and up to date.
Good
4. Will look into MS MVP Hosts file
It's just a 'set it and forget it' kind of thing
PHEWW

I suppose I could have saved us both time in the beginning by saying those comments weren't directed just at you.  It's my standard signature; everyone see it with each post...

Here's the  fresh HiajckThis log

Logfile of HijackThis v1.98.0
Scan saved at 11:04:21 AM, on 7/14/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=hpfsched
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {1EDCEFA3-D380-11D8-B926-CCBD1CDB5E68} - C:\WINDOWS\SYSTEM\OFC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.win...en/wucorpct.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Filter: text/html - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL
O18 - Filter: text/plain - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

Petrocqr


If you have already read my replys above (I'm italics); to your questions; hang tight for a while; I'm trying to locate the Tool I really wanted you to use....My link is no good just now. I'll post a reply to the HijackThis log very soon .
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#6 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 July 2004 - 07:18 PM

Thanks for going thru all those comments/questions. I appreciate it!


the link for 'Win98fix


From what I can tell the version of FnF for win 98 has been pulled.

. Just got a free win security update from MS and can run after the hijack code is removed permanently.  Windows Updates is ALWAYS free; but are you by any chance talking about IE6??  If not I would encourage you to get it; even if you use Mozilla/Firefox as your main browser.


No, was not referring to IE 6. The CD is a compilation of all Win security updates so I don't have to spend all night downloading them on my snail-like Internet connection. I am leery of IE 6 since I did put IE 5.5 on my machine back after it came out and my machine went bonkers-slow, loss of memory leakage, tons of crashes and system errors- and did not run right until I removed it (which essentially meant reformatting my hard drive and that sucks!) Did I mention that this is an older machine? (PII 400 with a maxed out 384mb ram & 8.4 HD) It works well enough with what I am doing just slow but has been very stable since the last reformat 3 yrs ago until this malware).





Sure why not; keep in mind Firefox is just the browser while Mozilla suite is just that a 'suite' or the 'whole package' Email client etc,etc




Mozilla- From what I read on the mozilla.org website the plan is to phase out the suite in favor of individual stand alones once the stand alone programs are strong enough.


Good luck finding the right tool! I am ready to fix this ****** thing!!!

Edited by poorboy23, 14 July 2004 - 07:26 PM.


#7 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 July 2004 - 10:24 PM

I found and downloaded win98fix from:

http://tools.zerosrealm.com/w98fix.zip

However the who.bat ( there is no !log!.bat with this) would not run

says "bad command or file name"

perhaps this is why the tool is pulled from most links?

what else can we use to accomplish the same end?

Is the goal of this tool to find the hidden culprit file that causes the reinfection?

Edited by poorboy23, 15 July 2004 - 12:37 AM.


#8 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 15 July 2004 - 09:13 AM

Download: "startdreck", from here

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#9 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 09:26 AM

Here's the Startdrecklog:
StartDreck (build 2.1.5 public BETA) - 2004-07-15 @ 07:23:44
Platform: Windows 98 (Win 4.10.1998 )

舞egistry
舞un Keys
翟urrent User
舞un
*PC Magazine SeeThru=C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
舞unOnce
聞efault User
舞un
*PC Magazine SeeThru=C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
舞unOnce
腿ocal Machine
舞un
*SystemTray=SysTray.Exe
*HPSCANMonitor=C:\WINDOWS\SYSTEM\hpsjvxd.exe
*NAV Agent=C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
舞unServicesOnce
**hial=rundll32 C:\WINDOWS\SYSTEM\CTLFKPJ.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF8F760F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF21FF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF376F=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFFCF27=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFB677=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
*FFFE5E5F=C:\WINDOWS\EXPLORER.EXE
*FFFED7D7=C:\WINDOWS\RUNDLL32.EXE
*FFFEAD37=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD4053=C:\WINDOWS\SYSTEM\HPSJVXD.EXE
*FFFD420F=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
*FFFC060B=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFFC1083=C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
*FFFB54CF=C:\WINDOWS\RSRCMTR.EXE
*FFFC8D7B=C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
*FFFA5A6B=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFFA016F=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFF90A2B=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
*FFF91DE7=C:\MY DOCUMENTS\UPGRADES ADDINS UTILITIES,ETC\STARTDRECK\STARTDRECK.EXE
翠pplication specific


FYI:Seethru.exe is a freeware software that I have had on my machine for years. It makes the background behind desktop icons clear. It is not malware or adware or spyware.
SeeThru-version 1.0.0.0
Copyright 1998 by Ziff davis, Inc
First appeared on PC Mag Extra web site
Aug 1,1998
Written by Neil J. Rubenking

#10 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 01:18 PM

Hi jwbirdsong.

Just to keep you up to date:

I located, downloaded and ran win98fix
Got 2 files
C:\WINDOWS\System\STREAMCI.DLL
C:\WINDOWS\System\CTLFKPJ.DLL
First had a create date of 1998 -deleted to recycle anyway
2nd looks like it might be the one, created 6/23/04, the day I got this thing I wiped that one clean

ran CWS shredder:
"Removed from your system:
- CWS.Searchx
- 6 infected IE registry values"

ran cwsshredder again

"Your system was completely clean".

Ran hijack this.
none of the items in the list looked "bad".

Here's the log

Logfile of HijackThis v1.98.0
Scan saved at 8:24:04 AM, on 7/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: CNavExtBho Class - {BDF3E430-B101I-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Progr"am Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE
O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.win...en/wucorpct.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab


That's where things stand as of now.

poorboy

Edited by poorboy23, 15 July 2004 - 03:56 PM.


#11 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 15 July 2004 - 07:55 PM

Well you were 1/2 right -----> C:\WINDOWS\System\STREAMCI.DLL is a valid Windows File and is used by WindowsMediaPlayer. If it is still in you recycle bin you should restore it. A reinstall of WMP may bring it back also, there is also one in Base_5.cab on your Win98SE disk.


CTLFKPJ.DLL is the baddie; it was identified in Startdreck also. Although It doesn't list the size, you found the date. Good job as far as CTLFKPJ.DLL goes; But you should consider your self fortunate deleting a file that wasn't a baddie; and still have a up and running system...OK enough speeches.

I really,really recommend getting and using the 3 programs listed below...Together the take up an almost un-noticeable amount of system resources.

Congratulations, your log is clean.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers real-time protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
So how did I get infected in the first place?
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#12 poorboy23

poorboy23

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 July 2004 - 09:03 PM

jwbirdsong,

Thank for all your input and help.

I am happy to be rid of the nasty thing.

Next steps are to make some of the proposed changes.

Was able to get the windows dll back.

I suspected that it might have soewmthignto do with win player or something like that. I hardly ever use that program but still itis good that I can if I want.

I think we can consider this topic closed.

Thanks again and take care

poorboy23




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button