Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijacked by CWS about-blank


  • Please log in to reply

#1
MadHijacked

MadHijacked

    Member

  • Member
  • PipPip
  • 32 posts
I am desperate!. I have my browser IE hijaced by CWS about-blank.
I have downloaded CW shreder, Spybot, Ad-Aware, Hijackthis, and have purchsed Spysweeper, to rid my computer of "about-blank" with no results.

All the above detect CWS Adware, and go through the process of deleteing and restoreing my home page, only to have CWS to rewrite itself and reappear after
about 24 hours.

Please help with manually deleting CWS about-blank.
I understand that there is a hidden dll file that has to be deleted to rid the computer of
this adware.

Below is my last save log of Hijackthis.

Logfile of HijackThis v1.98.2
Scan saved at 3:46:53 PM, on 8/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\INTERNET TOOLKIT 4.1\NETSURF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B29BCF24-F78B-11D8-B2B3-CC7DF6814E55} - C:\WINDOWS\SYSTEM\PPGNID.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
O18 - Filter: text/html - {B29BCF23-F78B-11D8-B2B3-CC7D7968D621} - C:\WINDOWS\SYSTEM\PPGNID.DLL
O18 - Filter: text/plain - {B29BCF23-F78B-11D8-B2B3-CC7D7968D621} - C:\WINDOWS\SYSTEM\PPGNID.DLL

I have used the fix function on Hijackthis to remove the Temp\sp.html files,
HKCU=about-blank, HKLM=about- blank, all reference to the PPGNID.DLL.

This seems to work fine for a short time then it reappers with a differnt
C:\WINDOWS\SYSTEM|"??????.DLL "

Please Help.

Ron
  • 0

Advertisements


#2
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Welcome to GTG MadHijacked <_<

This is currently the toughest infection to remove, but stick in there, we'll help you through it.

STEP 1
Please download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review.
  • 0

#3
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I have downloaded FINDnFIX.exe. Now how do I run the LOG.Bat. File?
I am no computer expert so I will need lots of TLC. I clicked on the Log Bat Icon but
it did nothing.

No even sure if I am replying correctly to this forum.

MadHijacked
  • 0

#4
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Please Reply!

Can't seem to get the FINDnFIX.eve to geneate Log.
After looking it states for Windows Xp/2k only.
Will this work on my OS Windows 98?

I have fought this CW about blank for about a month, and would like to get
back doing other things with my computer.

Also my posted Hijackthis log. did not include everything in my startup, some items I
have disabled through MSCONFIG.

Please Resond.
  • 0

#5
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Download from given links:
-StartDreck
-Win98.fix

First do this:
Go to start/run/type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!
  • 0

#6
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks for your response.

Window Procedure Logbba.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Logbba.dll C:\WINDOWS\RUNDLL32.EXE


StartDreck (build 2.1.7 public stable) - 2004-08-30 @ 14:24:18 (GMT -04:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2800.1106
Logged in as rlcollins at COMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
舞unOnce
聞efault User
舞un
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
舞unOnce
腿ocal Machine
舞un
*DXM6Patch_981116=C:\WINDOWS\p_981116.exe /Q:A
*SystemTray=SysTray.Exe
*MULTIMEDIA KEYBOARD=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
*NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
`InprocServer32=
*{DDB8DF05-FA14-11D8-B2B3-F7EA4E0A329A}
`InprocServer32=
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F44BF=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFB34F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF85DF=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF98A3=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFE84B=C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
+FFFE08BF=C:\WINDOWS\EXPLORER.EXE
+FFFDB5DF=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD9A3F=C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
+FFFC153F=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
+FFFC3633=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
+FFFCB1BF=C:\PROGRAM FILES\INTERNET TOOLKIT 4.1\NETSURF.EXE
+FFF9C85B=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FF07D3F7=C:\PROGRAM FILES\OPERA\OPERA.EXE
+FF06F6D3=C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
+FFF9F2A7=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FF06E763=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF81E87=C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
+FF0455D7=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
+FF033A4B=C:\PROGRAM FILES\NETZIP CLASSIC\NETZIP.EXE
+FF03BC87=C:\WINDOWS\DESKTOP\STARTDRECK.EXE
翠pplication specific

Waiting for your response.
  • 0

#7
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hello,

Need a reply. trying to make some headway toward this problem.

<_< :D
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Don't see the DLL log the log I was looking for. Try AboutBuster: download About:Buster and unzip it to your desktop. Start it, hit update, when finsihed click Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Download About:Buster here: http://www.geekstogo...=download&id=25
  • 0

#9
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
<_<

OK did as instructed but don't understand the log from Buster.
It scan once, and asked for a 2nd scan. I clicked Ok.
It ran a 2nd scan, then I saved the log.

Here it is: :D

Scanned at: 5:00:48 PM on: 9/1/04


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 5:32:09 PM on: 9/1/04


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!






Here is the Hijackthis Log:

Logfile of HijackThis v1.98.2
Scan saved at 5:41:07 PM, on 9/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = DISABLED:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = DISABLED:C:\WINDOWS\SYSTEM\blank.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {DDB8DF05-FA14-11D8-B2B3-F7EA4E0A329A} - (no file)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {74799704-FBA9-11D8-B2B3-9BCF8DD7AEDB} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
  • 0

#10
Hemal

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
this is just a small fix to get ride of some of the more well known spyware and other bad files- please get another log and we can dig deeper to find the other problems

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = DISABLED:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = DISABLED:C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {DDB8DF05-FA14-11D8-B2B3-F7EA4E0A329A} - (no file)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {74799704-FBA9-11D8-B2B3-9BCF8DD7AEDB} - (no file)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

Advertisements


#11
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Just a little information to let you know about the disabled items in my last Hijackthis log.

I disabled some items by using "StartDreck". This was why some items showed disabled in my last log.
However I used the Fix on Hijackthis for the items you indicated.

My system browers(including IE) seem to be running fine. It as been over 24
hours since my Spysweeper has detected CWS about:blank. However I have had my hopes up before.

The major problem I have with my system at present are:

Can't install McAfee Antivirus.

With Call Wave I get a page fault error message in Kernel32.Dll..

A journal.dll error message with my printer.

My troubleshooter for windows is missing.

I feel most, if not all, these problems are a result of CWS.

Here is my new Hijackthis log.
<_< And thanks to all for your help. Sure hope we can get there.

Logfile of HijackThis v1.98.2
Scan saved at 9:57:44 PM, on 9/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
  • 0

#12
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Congratulations! Your system is CLEAN <_<

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
Link to SpywareBlaster: http://www.geekstogo...tion=show&id=12

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.

I strongly recommend you install an Anti-Virus and keep it up-to-date. AVG offers a great free anti-virus:
http://free.grisoft....us/doc/2/tpl/v5

You also need a firewall. Both Zone Labs and Sygate offer great, free firewalls. I suggest using Zone Alarm for advanced user and Sygate Personal Firewall for beginner users.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend Firefox.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats. :D
  • 0

#13
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

Can't install McAfee Antivirus.

With Call Wave I get a page fault error message in Kernel32.Dll..

A journal.dll error message with my printer.

My troubleshooter for windows is missing.

Have you tried Start -> Run, type SFC /SCANNOW
  • 0

#14
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
<_<

No I have not yet. I am having enough trouble at present trying to get rid of about:blank

IT IS BACK- Not shouting-Just frustrated

Another Log:
Before deleteing with Spysweeper:

Logfile of HijackThis v1.98.2
Scan saved at 12:00:53 AM, on 9/2/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\INTERNET TOOLKIT 4.1\NETSURF.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D1998483-FC72-11D8-B2B3-4445D0DE29F4} - C:\WINDOWS\SYSTEM\DJHCGC.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
O18 - Filter: text/html - {D1998482-FC72-11D8-B2B3-4445BF928C6F} - C:\WINDOWS\SYSTEM\DJHCGC.DLL
O18 - Filter: text/plain - {D1998482-FC72-11D8-B2B3-4445BF928C6F} - C:\WINDOWS\SYSTEM\DJHCGC.DLL

:D
  • 0

#15
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Back with a vengance! <_<

Try runing AboutBuster in safe mode. Make sure you update it, and run it twice. Post a fresh log when finished.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP