• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
grampaneedshelp

recurring about:blank on Windows 98

11 posts in this topic

I have been having a recurring problem with the CWS variant about blank. I have read many of the other posts on this forum and tried some of the solutions, but it always returns the next day. I have read the FAQ, run an updated version of spybot, ad-aware, cwshedder, but the thing always resurfaces 12-20 hours after its removal. Here is my HijackThis log.

 

I understand that you are all extremely busy, I will not post again until I hear a response. THanx, Grampa.

Logfile of HijackThis v1.98.0

Scan saved at 8:04:57 AM, on 7/13/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\DESKTOP\HIJACKTHIS2.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {FBF67404-D44E-11D8-B032-00016EEFECDF} - C:\WINDOWS\SYSTEM\HDAKPF.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v10/investor.cab

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O18 - Filter: text/html - {FBF67403-D44E-11D8-B032-0001E10674AB} - C:\WINDOWS\SYSTEM\HDAKPF.DLL

O18 - Filter: text/plain - {FBF67403-D44E-11D8-B032-0001E10674AB} - C:\WINDOWS\SYSTEM\HDAKPF.DLL

 

I will say that I have already tried checking and fixing the 01s, R0 and other things that everybody suggested. I have run About:Buster 1.25 in regular and in safe mode but it always returns. I believe that the bastard is hiding in a .DLL file somewhere, but as I am not very computer savvy, I really don't know how to address the problems. Despite my advanced age, please try and coach your answers as you would to a four year old (although they probably know more about computers than I do - Gramps) :techsupport:

Share this post


Link to post
Share on other sites

Download: "StartDreck", from here:

http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

 

Don't let all the German throw you - just look for the line:

<DOWNLOAD> (396.737 Bytes) md5: eeed12045428c9e7a1d4912127e2e536

and click on <DOWNLOAD>

 

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

Share this post


Link to post
Share on other sites

okay, thanks for getting back to me Fireflyer. I downloaded, configured as requested. The log is below. My computer can't find AcroRD32.exe and so I couldn't read the log, so I had to save it to a file on the server (this computer is part of a server) and access it from there. Any help at all would be great, keep up the good work, GRAMPS

StartDreck (build 2.1.5 public BETA) - 2004-07-15 @ 17:07:06

Platform: Windows 98 SE (Win 4.10.2222 A)

 

»Registry

»Run Keys

»Current User

»Run

»RunOnce

»Default User

»Run

»RunOnce

»Local Machine

»Run

*Norton Auto-Protect=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

*ScanRegistry=c:\windows\scanregw.exe /autorun

*SystemTray=SysTray.Exe

*POINTER=point32.exe

*Norton eMail Protect=C:\Program Files\Norton AntiVirus\POPROXY.EXE

*CriticalUpdate=c:\windows\SYSTEM\wucrtupd.exe -startup

*TaskMonitor=c:\windows\taskmon.exe

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*TCASUTIEXE=TCAUDIAG -off

*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

*Installed=1

*NoChange=1

*Installed=1

*Installed=1

»RunOnce

»RunServices

*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE

*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*SchedulingAgent=mstask.exe

»RunServicesOnce

**mw=rundll32 C:\WINDOWS\SYSTEM\WINO.DLL,StreamingDeviceSetup

»RunOnceEx

»RunServicesOnceEx

»Files

»System/Drivers

»Running Processes

*FFF0DE27=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFF1913=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFF110B=C:\WINDOWS\SYSTEM\SPOOL32.EXE

*FFFF799F=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFFF55B=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFFD767=C:\WINDOWS\SYSTEM\MDM.EXE

*FFFE6377=C:\WINDOWS\SYSTEM\MSTASK.EXE

*FFFEE54B=C:\WINDOWS\RUNDLL32.EXE

*FFFE299B=C:\WINDOWS\EXPLORER.EXE

*FFFC3D1F=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

*FFFC90A7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFC9DAB=C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

*FFFCB7BF=C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

*FFFA8383=C:\WINDOWS\TASKMON.EXE

*FFFB4B1B=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

*FFFA2D73=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE

*FFFB79B7=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE

*FFF9FFD3=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE

*FFFD5653=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

*FFF8AA87=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE

»Application specific

Share this post


Link to post
Share on other sites

OK, Gramps, very good - you've identified the hidden dll as WINO.DLL so let's take it out.

We're done with the log you saved so you can dump it.

 

Download: "Win98Fix.zip" from here:

http://freeatlast100.100free.com/

 

Unzip to its own folder.

 

Open Folder and double click on RunFix.reg file.

Hit 'Yes' to merge it into your registry.

Restart your computer.

 

The bad file should now be visible so you can delete it.

Browse to C:\WINDOWS\SYSTEM\WINO.DLL

Right click, select 'Properties' and remove any 'Read only' protection.

Right click again and select 'Delete'.

 

(If you cannot find the file, run the 'Who.bat' file in the folder.

The file will be found and listed.)

 

Once WINO.DLL is deleted run CWShredder again, then follow that with Ad-aware. Be sure Ad-aware is updated, and set it up for a Full Scan by following these instructions:

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)

    [*]Click on the Scanning button on the left and select :

    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
      • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

 

Run another HJT scan, and post it here for further review.

Share this post


Link to post
Share on other sites

okay fFireflyer, here is the new log. Thanks again for your time. If you see anything else in the running process or anything else that you don't think need to be there, let me know. - Gramps

 

Logfile of HijackThis v1.98.0

Scan saved at 9:18:15 AM, on 7/16/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE

C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE

C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS2.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe

O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

:bounce:

Share this post


Link to post
Share on other sites

The log looks all clean, Gramps. Congratulations! That's some good work for someone who claims to be less knowledgeable than a four year old!

 

The only thing left in your log is an optional fix. It's not malware, just a drain on your system resources.

 

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT:

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Otherwise, you're good to go.

 

To reduce the potential for spyware infection in the future, check out How To: Prevent this from happening again? and consider consider installing these free programs in addition to Spywareguard that you've already installed:

 

SpywareBlaster will prevent spyware from being installed and consumes no system resources.

 

More info and download is available at:

SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system.

 

More info and download is available at:

IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

You might also want to consider installing a firewall program - two very good free ones are available thru the links in my Signature. I use Kerio Personal Firewall myself.

Share this post


Link to post
Share on other sites

Fireflyer, thanks for getting back to me, I will take your advice about real player.

 

Only problem is that I am running a Panda scan as we speak and a couple of minutes ago it came up that i had an infected file and Spyware guard infomed me that something was trying to reset my homepage to about blank. THe scan is still running, so i don't know what file yet. The MO of this bug is that it goes dormant for sometime and then returns, i don't know if that has happened again or what. Please inform.

 

and if you're ever in hawai'i my couch is yours.

 

Gramps

Share this post


Link to post
Share on other sites

It always returned because of the hidden DLL that still remained through previous cleanings. If we wiped out the hidden element, then it won't be able to return.

 

But, keep me posted with what's going on, and if troubles persist, post a new HJT log. And, if file://c:\windows\TEMP\sp.html shows up in the log, run StartDreck again and post its log too.

Share this post


Link to post
Share on other sites

Fireflyer, the thing is gone. It has been two days and there is nothing. No attempts to reset my browser, nothing. The pandascan found two infected files, but it said that they had been repaired. Everything is well, thanks again for all of your help

 

Stay vigilant.

 

If you ever in Hawaii, grampaacid@yahoo.com

Share this post


Link to post
Share on other sites

Great news, Gramps! You stay vigilant too, and give some consideration to the things I mentioned in my prevention speech above.

 

And thanks for the invite! My sister just got back from her 2nd trip to Hawaii and she had a great time. I've never made it over, but maybe someday.

Share this post


Link to post
Share on other sites

Three and half days, things are still good, followed your preventoin advice and thanks again. I feel that we are done here.

 

gramps

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0