• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
poorboy23

How Can I Get Rid Of About:blank Hijack

12 posts in this topic

Please help. Have long been at the frustration point.

My machine has been hijacked by the "about:blank" malicious code.

I have had it on my machine for many days now.

I have used several combinations of Sbybot Search & destroy, AdAware, hijack this,CWS shredder, registry edits, and even run these in safe mode but the thing keeps coming back. Clearly I am missing the key file or files

 

My home page keeps getting changed to "about:blank" which is an unidentified page with a menu of various categories such as gambling, virus removal , shopping sites etc. and with occassional popups about spyware

 

My machine runs on WIn 98 and amusing IE 5.0

I am running NAV 2002 with up to date virus defs

 

Here is my latest hijack this log

 

Logfile of HijackThis v1.98.0

Scan saved at 9:40:44 AM, on 7/12/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.00 (5.00.2314.1000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSJVXD.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

C:\WINDOWS\RSRCMTR.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F1 - win.ini: run=hpfsched

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {1EDCEFA3-D380-11D8-B926-CCBD1CDB5E68} - C:\WINDOWS\SYSTEM\OFC.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE

O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Filter: text/html - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

O18 - Filter: text/plain - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

 

help to fix this is greatly appreciated

 

Thank you,

Share this post


Link to post
Share on other sites

Have not heard from anyone yet in 1.5 days

Maybe my plea has been missed?

 

Hopefully by tomorrow am there will some help available?

 

Please.

Edited by poorboy23

Share this post


Link to post
Share on other sites

Downloaded "FINDnFIX.exe"

Ran the exe file and got the message

"Free Extractor error

An error prevents this program from continuing. Could not read SFX info. It's likely corrupt."

 

I then went to http://freeatlast100.100free.com/

After findnfix.exe its says" (2KXP only!)"

 

I am running Win 98 so maybe that is why the program will not run?

 

 

Questions about your suggestions (please read them not as a challenge but from a more naive point of view

(I really want to know more)

Things you need:

1. I am already running Norton anti virus w/ up to date virus defs. Why do I need another program? Are you saying that NAV is no good?

 

2. Since this code appeared I have already decided to get a fire wall thanks for the recommendations

3. Do you think I need all 3 of IE Spyads SpywareBlaster Spyware Guard or just 1?

4. Just got a free win security update from MS and can run after the hijack code is removed permanently

 

 

Things I want:

1 I have Mozilla installed on my machine but have been unhappy with it in general since it runs much slower on my machine than IE. I love the idea of not using MS stuff but...

 

Actually I just figured out that I have the Mozilla suite and not firefox browser so maybe I shoud check out just the Firefox browser.

2. Pop up killers have been recommended. Why the google toolbar as opposed to any other?

 

3. Already have AdAware and Spybot installed and up to date.

 

4. Will look into MS MVP Hosts file

 

Here's the fresh HiajckThis log

 

Logfile of HijackThis v1.98.0

Scan saved at 11:04:21 AM, on 7/14/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.00 (5.00.2314.1000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSJVXD.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

C:\WINDOWS\RSRCMTR.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F1 - win.ini: run=hpfsched

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {1EDCEFA3-D380-11D8-B926-CCBD1CDB5E68} - C:\WINDOWS\SYSTEM\OFC.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE

O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Filter: text/html - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

O18 - Filter: text/plain - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

 

Petrocqr

Edited by poorboy23

Share this post


Link to post
Share on other sites
Responses are 'in-line' with your questions.

 

Downloaded "FINDnFIX.exe"

Ran the exe file and got the message

"Free Extractor error

An error prevents this program from continuing. Could not read SFX info. It's likely corrupt."

 

I then went to http://freeatlast100.100free.com/

After findnfix.exe its says" (2KXP only!)"

 

I am running Win 98 so maybe that is why the program will not run?

of course that's why , my fault entirely..I never meant to give you the link for FnF..I thought I'd grabbed the link for 'Win98fix', must have just been refles to paste FnF; Sorry

 

Questions about your suggestions (please read them not as a challenge but from a more naive point of view

(I really want to know more)

Things you need:

1. I am already running Norton anti virus w/ up to date virus defs. Good Why do I need another program? You don't Are you saying that NAV is no good? NAV is far from one of my Favorites by  ant means; but by and large it does a acceptable job of Virus Protection.

 

2. Since this code appeared I have already decided to get a fire wall thanks for the recommendations Kerio 2.1.5 is a Excellent one, although it is a little more 'hands on' as opposed to  Zone Alarm

3. Do you think I need all 3 of IE Spyads SpywareBlaster Spyware Guard or just 1? without a doubt all 3 (ESPECIALLY with IE5)

4. Just got a free win security update from MS and can run after the hijack code is removed permanently.  Windows Updates is ALWAYS free; but are you by any chance talking about IE6??  If not I would encourage you to get it; even if you use Mozilla/Firefox as your main browser.

 

Things I want:

1 I have Mozilla installed on my machine but have been unhappy with it in general since it runs much slower on my machine than IE. I love the idea of not using MS stuff but...

 

Actually I  just figured out that I have the Mozilla suite and not firefox browser so maybe I shoud check out just the Firefox browser. Sure why not; keep in mind Firefox is just the browser while Mozilla suite is just that a 'suite' or the 'whole package' Email client etc,etc

2. Pop up killers have been recommended. Why the google toolbar as opposed to any other? Uses up virtutally no system resources and is one of the most configureable Stoppers yet; plus a one click Google search.[/i]

 

3.  Already have AdAware and Spybot installed and up to date.

Good

4. Will look into MS MVP Hosts file

It's just a 'set it and forget it' kind of thing

PHEWW

 

I suppose I could have saved us both time in the beginning by saying those comments weren't directed just at you.  It's my standard signature; everyone see it with each post...

 

Here's the  fresh HiajckThis log

 

Logfile of HijackThis v1.98.0

Scan saved at 11:04:21 AM, on 7/14/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.00 (5.00.2314.1000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSJVXD.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

C:\WINDOWS\RSRCMTR.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F1 - win.ini: run=hpfsched

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {1EDCEFA3-D380-11D8-B926-CCBD1CDB5E68} - C:\WINDOWS\SYSTEM\OFC.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE

O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Filter: text/html - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

O18 - Filter: text/plain - {1EDCEFA2-D380-11D8-B926-CCBD7397FBF3} - C:\WINDOWS\SYSTEM\OFC.DLL

 

Petrocqr

 

If you have already read my replys above (I'm italics); to your questions; hang tight for a while; I'm trying to locate the Tool I really wanted you to use....My link is no good just now. I'll post a reply to the HijackThis log very soon .

Share this post


Link to post
Share on other sites

Thanks for going thru all those comments/questions. I appreciate it!

 

 

the link for 'Win98fix

 

From what I can tell the version of FnF for win 98 has been pulled.

 

. Just got a free win security update from MS and can run after the hijack code is removed permanently.  Windows Updates is ALWAYS free; but are you by any chance talking about IE6??  If not I would encourage you to get it; even if you use Mozilla/Firefox as your main browser.

 

No, was not referring to IE 6. The CD is a compilation of all Win security updates so I don't have to spend all night downloading them on my snail-like Internet connection. I am leery of IE 6 since I did put IE 5.5 on my machine back after it came out and my machine went bonkers-slow, loss of memory leakage, tons of crashes and system errors- and did not run right until I removed it (which essentially meant reformatting my hard drive and that sucks!) Did I mention that this is an older machine? (PII 400 with a maxed out 384mb ram & 8.4 HD) It works well enough with what I am doing just slow but has been very stable since the last reformat 3 yrs ago until this malware).

 

 

 

 

 

Sure why not; keep in mind Firefox is just the browser while Mozilla suite is just that a 'suite' or the 'whole package' Email client etc,etc

 

 

 

Mozilla- From what I read on the mozilla.org website the plan is to phase out the suite in favor of individual stand alones once the stand alone programs are strong enough.

 

 

Good luck finding the right tool! I am ready to fix this ****** thing!!!

Edited by poorboy23

Share this post


Link to post
Share on other sites

I found and downloaded win98fix from:

 

http://tools.zerosrealm.com/w98fix.zip

 

However the who.bat ( there is no !log!.bat with this) would not run

 

says "bad command or file name"

 

perhaps this is why the tool is pulled from most links?

 

what else can we use to accomplish the same end?

 

Is the goal of this tool to find the hidden culprit file that causes the reinfection?

Edited by poorboy23

Share this post


Link to post
Share on other sites

Download: "startdreck", from here

 

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

Share this post


Link to post
Share on other sites

Here's the Startdrecklog:

StartDreck (build 2.1.5 public BETA) - 2004-07-15 @ 07:23:44

Platform: Windows 98 (Win 4.10.1998 )

 

»Registry

»Run Keys

»Current User

»Run

*PC Magazine SeeThru=C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

»RunOnce

»Default User

»Run

*PC Magazine SeeThru=C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

»RunOnce

»Local Machine

»Run

*SystemTray=SysTray.Exe

*HPSCANMonitor=C:\WINDOWS\SYSTEM\hpsjvxd.exe

*NAV Agent=C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE

*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE

*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE

*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

*Installed=1

*NoChange=1

*Installed=1

*Installed=1

»RunOnce

»RunServices

*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

»RunServicesOnce

**hial=rundll32 C:\WINDOWS\SYSTEM\CTLFKPJ.DLL,StreamingDeviceSetup

»RunOnceEx

»RunServicesOnceEx

»Files

»System/Drivers

»Running Processes

*FF8F760F=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFF21FF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFF376F=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFFCF27=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFFB677=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

*FFFE5E5F=C:\WINDOWS\EXPLORER.EXE

*FFFED7D7=C:\WINDOWS\RUNDLL32.EXE

*FFFEAD37=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFD4053=C:\WINDOWS\SYSTEM\HPSJVXD.EXE

*FFFD420F=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE

*FFFC060B=C:\WINDOWS\SYSTEM\STIMON.EXE

*FFFC1083=C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

*FFFB54CF=C:\WINDOWS\RSRCMTR.EXE

*FFFC8D7B=C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE

*FFFA5A6B=C:\WINDOWS\SYSTEM\RNAAPP.EXE

*FFFA016F=C:\WINDOWS\SYSTEM\TAPISRV.EXE

*FFF90A2B=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

*FFF91DE7=C:\MY DOCUMENTS\UPGRADES ADDINS UTILITIES,ETC\STARTDRECK\STARTDRECK.EXE

»Application specific

 

 

FYI:Seethru.exe is a freeware software that I have had on my machine for years. It makes the background behind desktop icons clear. It is not malware or adware or spyware.

SeeThru-version 1.0.0.0

Copyright 1998 by Ziff davis, Inc

First appeared on PC Mag Extra web site

Aug 1,1998

Written by Neil J. Rubenking

Share this post


Link to post
Share on other sites

Hi jwbirdsong.

 

Just to keep you up to date:

 

I located, downloaded and ran win98fix

Got 2 files

C:\WINDOWS\System\STREAMCI.DLL

C:\WINDOWS\System\CTLFKPJ.DLL

First had a create date of 1998 -deleted to recycle anyway

2nd looks like it might be the one, created 6/23/04, the day I got this thing –I wiped that one clean

 

ran CWS shredder:

"Removed from your system:

- CWS.Searchx

- 6 infected IE registry values"

 

ran cwsshredder again

 

"Your system was completely clean".

 

Ran hijack this.

none of the items in the list looked "bad".

 

Here's the log

 

Logfile of HijackThis v1.98.0

Scan saved at 8:24:04 AM, on 7/15/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v5.00 (5.00.2314.1000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSJVXD.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

C:\WINDOWS\RSRCMTR.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

C:\HIJACKTHIS\HIJACKTHIS.EXE

 

F1 - win.ini: run=hpfsched

O2 - BHO: CNavExtBho Class - {BDF3E430-B101I-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [NPROTECT] C:\Progr"am Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O4 - HKCU\..\Run: [PC Magazine SeeThru] C:\PROGRAM FILES\SEETHRU\SEETHRU.EXE

O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE

O4 - Global Startup: SeeThru .lnk = C:\Program Files\SeeThru\seethru.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

 

That's where things stand as of now.

 

poorboy

Edited by poorboy23

Share this post


Link to post
Share on other sites

Well you were 1/2 right -----> C:\WINDOWS\System\STREAMCI.DLL is a valid Windows File and is used by WindowsMediaPlayer. If it is still in you recycle bin you should restore it. A reinstall of WMP may bring it back also, there is also one in Base_5.cab on your Win98SE disk.

 

 

CTLFKPJ.DLL is the baddie; it was identified in Startdreck also. Although It doesn't list the size, you found the date. Good job as far as CTLFKPJ.DLL goes; But you should consider your self fortunate deleting a file that wasn't a baddie; and still have a up and running system...OK enough speeches.

 

I really,really recommend getting and using the 3 programs listed below...Together the take up an almost un-noticeable amount of system resources.

 

Congratulations, your log is clean.

 

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers real-time protection from spyware installation attempts.

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

 

More info and download is available at link in my signature

 

And also see TonyKlein's good advice in

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

jwbirdsong,

 

Thank for all your input and help.

 

I am happy to be rid of the nasty thing.

 

Next steps are to make some of the proposed changes.

 

Was able to get the windows dll back.

 

I suspected that it might have soewmthignto do with win player or something like that. I hardly ever use that program but still itis good that I can if I want.

 

I think we can consider this topic closed.

 

Thanks again and take care

 

poorboy23

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0