Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijacked by CWS about-blank


  • Please log in to reply

#16
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
<_<

Back with a ???

I ran About Buster in Safe mode before running Spysweeper.
Have not restored home page in IE yet with Spysweeper.


Scanned at: 12:46:02 AM on: 9/2/04


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

Rebooted in Normal Mode and ran Hijackthis.
Before running Spysweeper.

Here is my new log:

Logfile of HijackThis v1.98.2
Scan saved at 12:51:42 AM, on 9/2/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D1998483-FC72-11D8-B2B3-4445D0DE29F4} - C:\WINDOWS\SYSTEM\DJHCGC.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
O18 - Filter: text/html - {D1998482-FC72-11D8-B2B3-4445BF928C6F} - C:\WINDOWS\SYSTEM\DJHCGC.DLL
O18 - Filter: text/plain - {D1998482-FC72-11D8-B2B3-4445BF928C6F} - C:\WINDOWS\SYSTEM\DJHCGC.DLL




Going to run Spysweeper now to restore my homepage


:D
  • 0

Advertisements


#17
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D1998483-FC72-11D8-B2B3-4445D0DE29F4} - C:\WINDOWS\SYSTEM\DJHCGC.DLL
O18 - Filter: text/html - {D1998482-FC72-11D8-B2B3-4445BF928C6F} - C:\WINDOWS\SYSTEM\DJHCGC.DLL
O18 - Filter: text/plain - {D1998482-FC72-11D8-B2B3-4445BF928C6F} - C:\WINDOWS\SYSTEM\DJHCGC.DLL

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\SYSTEM\DJHCGC.DLL

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#18
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
All items were fixed with Highjackthis as instructed.

The DJHCGD.DLL was not found. Probably removed by Spysweeper.

Here is the new Highjackthis log.

Logfile of HijackThis v1.98.2
Scan saved at 10:20:39 AM, on 9/2/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
  • 0

#19
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Clear for now, I guess we'll see. Keep us updated. <_<
  • 0

#20
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
:P :D <_<

Got to dig a little deeper in the well dudes.

This is a monster that is driving me up wacky.

IT's BACK

Logfile of HijackThis v1.98.2
Scan saved at 12:39:44 AM, on 9/3/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\NORTON UTILITIES\REGTRK.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\INTERNET TOOLKIT 4.1\NETSURF.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NCOMPARE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Program Files\Internet Toolkit 4.1\Netscape\Users\ITOOL4\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CC99DEC4-FD40-11D8-B2B3-EDB90A461DDD} - C:\WINDOWS\SYSTEM\NHC.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Norton Registry Tracker.LNK = C:\Program Files\Norton Utilities\REGTRK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.callwave.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yadtel.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.165.152.9,199.170.121.15
O18 - Filter: text/html - {CC99DEC3-FD40-11D8-B2B3-EDB985AF85A9} - C:\WINDOWS\SYSTEM\NHC.DLL
O18 - Filter: text/plain - {CC99DEC3-FD40-11D8-B2B3-EDB985AF85A9} - C:\WINDOWS\SYSTEM\NHC.DLL

:D
  • 0

#21
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
:D :D

Any more help? Still desparate!

I went through the same procedure of fixing all necessary items using Hijackthis
after my last post since I didn't get an immediate reponse.

Haven't had a reoccurrence yet, but it hasn't been the normal 24 hours yet <_<

Will be back if about blank reappears.

Does this type of maleware have an exe. associated with it?

What creates the .dll that keeps changing?



:P :o
  • 0

#22
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Normally a hidden DLL is responsible for the reinfection. Let's try this again.

Download from given links:
-StartDreck
-Win98.fix

First do this:
Go to start/run/type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!
  • 0

#23
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Before I go through this procedure again, a little clarifaction is needed.

The Information in Microsoft System Information (MSINF032) has not changed.

Hooked Type: Window Procedure
Hooked By: Logbba.dll
Application: RUNDLL32.EXE
DLL Path: C:\Windows\System\Logbba.dll
Applicatio Path:C:\Windows\RUNDLL32.EXE

I still have StartDreck in my computer, but I need some instructions on
downloading, storeing, and using Win98 Fix.

Waiting your response
  • 0

#24
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

I need some instructions on
downloading, storeing, and using Win98 Fix.

Skip for now. That'll be needed in the next step (if an infection is confirmed).
  • 0

#25
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Feeling better ! Haven't seen the rascal in two day.
When I ran my last fix with Hijackthis, I went to my Norton's recycle bin
and delete all that was placed there by Hijackthis. Also delete all from
the deleted protected files in the recycle bin. I then deleted all backup
logs generated by Hijackthis. I may be wrong but I think it was finding
the information it needed from delete files.

However here is the information you requested. I see nothing unusal here

Hooked Type: Window Procedure
Hooked By: Logbba.dll
Application: RUNDLL32.EXE
DLL Path: C:\Windows\System\Logbba.dll
Applicatio Path:C:\Windows\RUNDLL32.EXE





StartDreck (build 2.1.7 public stable) - 2004-09-04 @ 13:21:12 (GMT -04:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2800.1106
Logged in as rlcollins at COMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
舞unOnce
聞efault User
舞un
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
舞unOnce
腿ocal Machine
舞un
*DXM6Patch_981116=C:\WINDOWS\p_981116.exe /Q:A
*SystemTray=SysTray.Exe
*MULTIMEDIA KEYBOARD=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
*NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*NPROTECT=C:\Program Files\Norton Utilities\NPROTECT.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F45D7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFB227=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF84B7=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF9B83=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFE857=C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
+FFFE12A3=C:\WINDOWS\EXPLORER.EXE
+FFFD035B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD3F0F=C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
+FFFDB94F=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
+FFFDCA2F=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
+FFFC1457=C:\PROGRAM FILES\INTERNET TOOLKIT 4.1\NETSURF.EXE
+FFFB1533=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFB7BCB=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFA351F=C:\WINDOWS\DESKTOP\STARTDRECK.EXE
翠pplication specific
  • 0

Advertisements


#26
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Log is clear, but this DLL isn't legitimate: C:\Windows\System\Logbba.dll

Delete it (may need to be in safe mode).
  • 0

#27
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Did as instructed deleted Logbba.dll in safe mode.

I looked in Microsoft Information System(Msinfo32) and under
"Software Enviorment": EXPANDED
"System Hooked": EXPANDED

"Current System Information"
"There are no items to display in this category"

Is this Ok?

No Hooked type listed?
No Hooked by listed?
No application listed?
No DLL Path?
No application path?

Since I don't know to much about computers just need to know
if there is anything that needs to be done after deleteing the dll?
  • 0

#28
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
In addition to the questions in my last post.

I had forgotten that I had exported a suspicious registry entry to my desktop.
Would you look and see if this is something I should restore to registry or delete?

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs]
"NavigationFailure"="res://shdoclc.dll/navcancl.htm"
"DesktopItemNavigationFailure"="res://shdoclc.dll/navcancl.htm"
"NavigationCanceled"="res://shdoclc.dll/navcancl.htm"
"OfflineInformation"="res://shdoclc.dll/offcancl.htm"
"blank"="res://mshtml.dll/blank.htm"
"PostNotCached"="res://mshtml.dll/repost.htm"
"mozilla"="res://mshtml.dll/about.moz"
"Home"=dword:0000010e

I also have two registry items that I deleted in my Nortons protected recycle bin.
They are entiled "Zoneon" & "Zoneoff". How can I open them in notepad to send
them to you for inspection, before compleletly deleting or restoring them?

Still no occurence of about:blank. I think we beat its A double s <_<
  • 0

#29
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs]
"NavigationFailure"="res://shdoclc.dll/navcancl.htm"
"DesktopItemNavigationFailure"="res://shdoclc.dll/navcancl.htm"
"NavigationCanceled"="res://shdoclc.dll/navcancl.htm"
"OfflineInformation"="res://shdoclc.dll/offcancl.htm"
"blank"="res://mshtml.dll/blank.htm"
"PostNotCached"="res://mshtml.dll/repost.htm"
"mozilla"="res://mshtml.dll/about.moz"
"Home"=dword:0000010e

That's safe to delete.

Zoneon" & "Zoneoff

I'm not sure what the are for, better keep them for a little while--just to be safe. <_<
  • 0

#30
MadHijacked

MadHijacked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks very much <_<

Is there anyway I can view the Zoneon & Zoneoff regisrty items that are currently in
nortons recycle bin, without restoreing them ?

Also to follow up on a guestion that I asked eariler.

Is it normal for there to be nothing under the Expaned System Hooks in Micorsoft Information System. Will this cause any problems? I also noticed that my systems infomation is not longer there,
processor, memory, ect.

Thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP