• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mephitical

about:blank hijack, numerous popup ads

17 posts in this topic

I'm as frustrated with this as I'm sure everyone else is. Any help I can get is greatly appreciated.

I have read and understand the FAQ. I have read and tried the solutions listed for what seems to be my problem

HOWEVER

I am running Windows 98 and don't seem to have the AppInit_DLLs option available in reglite.

I have run Ad-Aware, CWShredder and Spybot with no success.

Here is my HijackThis logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:55:28 PM, on 6/12/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\COMPAQ\INTERNET\ISDBDC.EXE

C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MMTRAY.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETZERO\EXEC.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\NETZERO\EXEC.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOCUMENTS\PROJEKTS\HIJACKTHIS\HIJACKTHIS.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

O2 - BHO: (no name) - {EE662596-BCAF-11D8-A1ED-0004DBEFFD28} - C:\WINDOWS\SYSTEM\ODPE.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins1.TMP\DLGLI.EXE

O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home

O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search

O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish

O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish

O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8150.8727893519

Share this post


Link to post
Share on other sites

Some additional notes, if they are helpful at all...

CWShredder finds and removes coolsearchx every time I run it

ad-aware and spybot keep finding coolsearch and removing it as well.

within minutes of running all three of these apps, my about:blank start page gets hijacked by the search page and many pop-ups

Share this post


Link to post
Share on other sites

Hi, mephitical,

 

The removal of hidden .DLL files is a bit different in Win 98.

First we we'll remove the file that has been reinfecting. Then you will need to update (There's one today.) Adaware, and run that as well as Spybot and CWShredder.

 

Download: "StartDreck", from here:

Here

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

 

I am working around thunderstorms in my area today, so if I do not reply right away, it is only because I had to disconnect temporarily. I will reply as soon as I am able.

Share this post


Link to post
Share on other sites

Hi Bugbatter - Thank you so much for your assistance. This thing has been driving us nutty.

 

I have downloaded today's Ad-Aware update and I downloaded StrtDreck. FYI, the link you provided is no longer valid. This message was listed on the niksoft site:

"For all these guys that link to my blackbox.net-mirror: PLEASE use the main-mirror at niksoft.at http://www.niksoft.at/download/startdreck.htm "

 

Here is the StartDreck log as requested:

 

StartDreck (build 2.1.5 public BETA) - 2004-06-15 @ 10:58:56

Platform: Windows 98 SE (Win 4.10.2222 A)

 

»Registry

»Run Keys

»Current User

»Run

*spc_w="C:\Program Files\NZSearch\hcm.exe" -w

»RunOnce

»Default User

»Run

»RunOnce

»Local Machine

»Run

*ScanRegistry=c:\windows\scanregw.exe /autorun

*TaskMonitor=c:\windows\taskmon.exe

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*SystemTray=SysTray.Exe

*CPQEASYACC=C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

*EACLEAN=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

*MotiveMonitor=C:\Program Files\Motive\MotiveAssistant\motmon.exe

*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE

*WinampAgent="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

*EM_EXEC=C:\MOUSE\SYSTEM\EM_EXEC.EXE

*MMTray=MMTray.exe

*Installed=1

*NoChange=1

*Installed=1

*Installed=1

»RunOnce

»RunServices

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*SchedulingAgent=mstask.exe

*CPQInet Runtime Service=c:\compaq\CPQInet\CpqInet.exe

*isdbdc=c:\compaq\internet\isdbdc.exe

*CPQDFWAG=C:\WINDOWS\cpqdiag\CpqDfwAg.exe

*SAgent2ExePath=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

»RunServicesOnce

**jipo=rundll32 C:\WINDOWS\SYSTEM\SQLKPFJ.DLL,StreamingDeviceSetup

»RunOnceEx

»RunServicesOnceEx

»Files

»System/Drivers

»Running Processes

*FFEFDCD1=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFFEB35=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFFE32D=C:\WINDOWS\SYSTEM\SPOOL32.EXE

*FFFF8E99=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFE04F9=C:\WINDOWS\SYSTEM\MSTASK.EXE

*FFFE3341=C:\COMPAQ\CPQINET\CPQINET.EXE

*FFFE5245=C:\COMPAQ\INTERNET\ISDBDC.EXE

*FFFEE419=C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE

*FFFEF1ED=C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

*FFE1D341=C:\WINDOWS\RUNDLL32.EXE

*FFE1E691=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFE0C235=C:\WINDOWS\SYSTEM\RPCSS.EXE

*FFE1B5A5=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

*FFE0A5C5=C:\WINDOWS\EXPLORER.EXE

*FFE3ED81=C:\WINDOWS\TASKMON.EXE

*FFE3B355=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFE27B45=C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

*FFE280E1=C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE

*FFE2A481=C:\WINDOWS\SYSTEM\STIMON.EXE

*FFE23519=C:\WINDOWS\SYSTEM\MMTRAY.EXE

*FFFE54A9=C:\WINDOWS\SYSTEM\WMIEXE.EXE

*FFE2CCB9=C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

*FFE7A399=C:\PROGRAM FILES\NETZERO\EXEC.EXE

*FFE70E21=C:\WINDOWS\SYSTEM\RNAAPP.EXE

*FFE543AD=C:\WINDOWS\SYSTEM\TAPISRV.EXE

*FFE4CE5D=C:\PROGRAM FILES\NETZERO\EXEC.EXE

*FFE61785=C:\WINDOWS\SYSTEM\DDHELP.EXE

*FFE63489=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFE3F501=C:\WINDOWS\NOTEPAD.EXE

*FFE2881D=C:\MY DOCUMENTS\PROJEKTS\STARTDRECK\STARTDRECK.EXE

»Application specific

Share this post


Link to post
Share on other sites

Thank you for the info.

Here's our bad guy: **jipo=rundll32 C:\WINDOWS\SYSTEM\SQLKPFJ.DLL,StreamingDeviceSetup

Make sure your system is configured to show all files Here

 

See if you can do a search for it and delete it. If you cannot find it, please do this:

 

Download: "Win98Fix.zip" from

Here

 

Unzip to its own folder.

 

Open Folder and double click on RunFix.reg file.

Hit 'Yes' to merge it into your registry.

Restart your computer.

 

The bad file should now be visible so you can delete it.

Browse to SQLKPF.DLL.

Right click select 'Properties' and remove any 'Read only' protection.

Right click again and select 'Delete'.

 

(If you cannot find the file, run the 'Who.bat' file in the folder.

The file will be found and listed.)

**************************************

 

Reboot, and run scans with updated Adaware, Spybot, and CWShredder.

Reboot and post a fresh HJT log so we can be sure your computer is clean.

Share this post


Link to post
Share on other sites

OK... it took a little while to run Ad-Aware and the rest, but they're all done now. My start page seems to launch correctly now (I use about:blank) without the annoying search window and pop-ups. Here is the HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:05:31 PM, on 6/15/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\COMPAQ\INTERNET\ISDBDC.EXE

C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MMTRAY.EXE

C:\PROGRAM FILES\NZSEARCH\HCM.EXE

C:\WINDOWS\TEMP\INS1.TMP\DLGLI.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\MY DOCUMENTS\PROJEKTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins1.TMP\DLGLI.EXE

O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home

O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search

O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish

O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish

O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8150.8727893519

Share this post


Link to post
Share on other sites

Everything seems to be working fine now. But if you have the time I would really appreciate a glance over the HJT log to make sure we are really clean.

Thank you so much for all your help today!

Edited by mephitical

Share this post


Link to post
Share on other sites

Good work!

It's looking much better, but there still a few things to do.

Okay, you use about.blank, so we won't include that one.

 

Run HJT in safemode and check the following items:

 

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

O2 - BHO: (no name) - {EE662596-BCAF-11D8-A1ED-0004DBEFFD28} - C:\WINDOWS\SYSTEM\ODPE.DLL

 

 

The following three items are optional to fix because they do not need to be running at Startup, and they use resources. It's your choice, though.

If you decide to fix them, while you are in safemode, before fixing them, go to the TaskManager (alt+ctrl+del) and close them if listed there.

 

O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins1.TMP\DLGLI.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Have HJT fix the checked items. Reboot out of safemode.

 

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself). For example

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select delete all offline content.

 

 

Find and delete the following:

File only (Might not be there due to fixing in HJT)

c:\windows\iehr.dll

 

 

Run a another scan with HJT.

Please post a fresh HJT log.

Share this post


Link to post
Share on other sites

OK, I followed all of your instructions. A couple of things were not there that you listed though:

- O2 - BHO: (no name) - {EE662596-BCAF-11D8-A1ED-0004DBEFFD28} -C:\WINDOWS\SYSTEM\ODPE.DLL - was not there

- C:\Documents and Settings\username\Local Settings\Temp\ - was not there (was not there under either of our Windows profiles folders either)

- c:\windows\iehr.dll - was not there after fixing with HJT

 

Here is the new HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:17:49 PM, on 6/15/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\COMPAQ\INTERNET\ISDBDC.EXE

C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MMTRAY.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\MY DOCUMENTS\PROJEKTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home

O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search

O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish

O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish

O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8150.8727893519

Share this post


Link to post
Share on other sites

:unsure: I still have an "uneasy" feeling about this one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

I know that you said that you use about:blank, but just to make sure you won't run into new problems, please check Adaware for any updates today. Then please scan with that as well as updated Spybot, and let's see what they come up with.

Following that, please post a fresh HJT log. Thanks.

Share this post


Link to post
Share on other sites

I ran the newest Ad-Aware and Spybot, both found and removed a few things. I also ran CWShredder and it found nothing. Here is the newest HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:58:58 PM, on 6/16/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\COMPAQ\INTERNET\ISDBDC.EXE

C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\MMTRAY.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOCUMENTS\PROJEKTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] MMTray.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunServices: [sAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home

O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search

O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish

O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish

O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8150.8727893519

Share this post


Link to post
Share on other sites

You did a great job! It looks clean. :D

 

Just to prevent further infection, here are a few tips:

1. Visit Windows Update:

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

Windows Update: <http://v4.windowsupdate.microsoft.com/en/default.asp>

2. Adjust your security settings for ActiveX:

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

c. Periodically check for updates.

4. Now that you have updated versions of Adaware and Spybot, remember to keep them updated, and scan with them at least once a week.

Share this post


Link to post
Share on other sites

Yay! Thank you so much for all of your help! You were a tremendous help, and we are eternally grateful to you!

 

I have already installed the updates and changes the settings, and I'll download the programs you suggested when I get home tonight.

 

Again, thank you.

Share this post


Link to post
Share on other sites

Glad we could help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0