Another varient of about:blank

Expert, I have an old machine I use for e-mail & web surfing. It has Win98 se for an OS. I try to only go to known good sites but obviously clicked wrong recently. My ISP pre scans all e-mail before allowing me to retrieve it, so I do not run virus-scanning software.
I had the "about:blank" highjack and thought I had it fixed with utilities I downloaded and ran. They were HJT, About Buster, Ad-Aware and Spy bot Search and destroy. They were all updated on Tuesday before running.
Today I went to check my e-mail and for a quick check I right clicked the icon for IE and the properties showed (much to my dismay) the home page as about:blank again.
I reran all the mentioned utilities and checked all the RO, R1 and the only BHO and had HJT fix them. I then reset my HKEY registry IE start page to www.yahoo.com. An interesting twist: this time it was set on Gooogle.com, last time it said about:blank.
Anyway I Just downloaded the utilities you mentioned to Johanna and am posting the results below. So far it looks like yahoo.com is going to stick but I thought that 2 days ago also.
PLEASE take a look at them and let me know what you think.
I’m not sure if the EnumStream.cmd worked as it asked what to open with. I selected notepad after un-checking "always use" box.
Thanks in advance, this is driving me nuts!



Logfile of HijackThis v1.98.2
Scan saved at 10:04:40 PM, on 9/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {43EE42C2-1134-11D9-9B4E-44450AE8FAC0} - C:\WINDOWS\SYSTEM\KDDLDAA.DLL
O18 - Filter: text/plain - {43EE42C2-1134-11D9-9B4E-44450AE8FAC0} - C:\WINDOWS\SYSTEM\KDDLDAA.DLL



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
+ LoadPowerProfile Power Profile Helper DLL Microsoft Corporation c:\windows\system\powrprof.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ LoadPowerProfile Power Profile Helper DLL Microsoft Corporation c:\windows\system\powrprof.dll
+ ScanRegistry Registry Checker Microsoft Corporation c:\windows\scanregw.exe
+ SystemTray System Tray Applet Microsoft Corporation c:\windows\system\systray.exe
+ TaskMonitor Task Monitor Microsoft Corporation c:\windows\taskmon.exe


@echo off


apps\msgbox "Ready to scan the drive..." "Hard drive scan" 2 2

if errorlevel 2 exit

echo.
echo @@@@@@@@@@@@@@@..........please wait............@@@@@@@@@@@@@@@@@
echo.
if not exist Logs mkdir Logs

if exist Logs\alert.txt del Logs\alert.txt
if exist Logs\autoruns.txt del Logs\autoruns.txt
if exist Logs\report.txt del Logs\report.txt
if exist Logs\list.txt del Logs\list.txt
if exist Logs\1.txt del Logs\1.txt
if exist Logs\ads.txt del Logs\ads.txt
if exist Logs\all.txt del Logs\all.txt

echo ........Scanning local drive......

echo ________________________Start__________________________ >Logs\List.txt
echo Scanning local drive...... >>Logs\List.txt
echo. >>Logs\List.txt
apps\wver2 >> "Logs\List.txt "
echo ................................................... >> "Logs\List.txt "
echo %CD% >>Logs\List.txt
if %CD% == %SystemDrive%\EnumStreams (echo Running From %SystemDrive%\EnumStreams & echo.) >>Logs\List.txt
echo ..................... >> Logs\List.txt

apps\tm >> "Logs\List.txt "
echo ................................................... >> "Logs\List.txt "
CHKNTFS %SystemDrive% >Logs\1.txt

apps\strings -a -n 20 -q Logs\1.txt >> "Logs\List.txt "


echo ................................................... >> "Logs\List.txt "
compact /c /f apps\danger.gif >Logs\alert.txt
if not errorlevel 1 echo ### *The current drive supports NTFS compression and Alternate Data Streams ###>>Logs\List.txt
if errorlevel 1 echo ######## *The current drive is NOT NTFS! Stream scan will be disabled!########>>Logs\List.txt && ren Apps\streams.exe streams1.exe



echo ................................................... >> "Logs\List.txt "
apps\Showgrps >>Logs\list.txt

echo ................................................... >> "Logs\List.txt "

echo ...Checking for shell.dll... >>Logs\List.txt
echo. >>Logs\List.txt
attrib %WinDir%\shell.dll /s >>Logs\List.txt 2>&1
dir /a /s /b %WinDir%\shell.dll >>Logs\List.txt 2>&1
echo ...in system32... >>Logs\List.txt 2>&1
attrib %WinDir%\System32\shell.dll >>Logs\List.txt 2>&1
echo ................................................... >> "Logs\List.txt "



if exist apps\streams.exe apps\streams -s %SystemDrive%\ >Logs\all.txt
echo. >Logs\ads.txt

echo ................................................... >> "Logs\ads.txt "

echo.
apps\strings -a -n 1 -q Logs\all.txt >>Logs\ads.txt

echo ................................................... >> "Logs\ads.txt "

net start >Logs\autoruns.txt
echo. >>Logs\autoruns.txt
echo ................................................... >> "Logs\autoruns.txt "

apps\lssvc -yv >>Logs\autoruns.txt
echo ................................................... >> "Logs\autoruns.txt "

echo *List of third-party startups Not-MS signed:: >>Logs\autoruns.txt
echo (Browser add-0ns, special NT reg keys and services) >>Logs\autoruns.txt
echo. >>Logs\autoruns.txt

apps\autorunsc -d -e -m -s -w >>Logs\autoruns.txt
cls

echo. >>Logs\autoruns.txt
echo ............................................................ >>Logs\autoruns.txt
echo ... http://www10.brinkster.com/expl0iter/freeatlast/FNF/ ... >>Logs\autoruns.txt
echo ... (*Updated 9/3) ... >>Logs\autoruns.txt
echo ............................................................ >>Logs\autoruns.txt
echo ________________________End_________________________________ >>Logs\autoruns.txt
copy Logs\List.txt + Logs\ads.txt + Logs\autoruns.txt = Logs\report.txt
del Logs\all.txt
del Logs\1.txt
del Logs\ads.txt
del Logs\list.txt
del Logs\Autoruns.txt
del Logs\alert.txt
start Logs\report.txt
exit

 

Hello
That tool is for ntfs file systems. not appropriate in your case, no need for it please delete the enumstreams folder.
Nor will About buster do anything for you im afraid.
Just to be sure
SpyBot 1.3 ?
Ad-Aware SE build 5 ?

Lets back up a bit and slow down take it one step at a time.

If you have disabled anything with a startup tool or msconfig re-enable it please. I dont mean restore things that have been fixed with SpyBot or Ad-Aware.

Go surf the internet let the search or homepage be changed then make and post a new Hijackthis log.

Myself or one of the other forum member's will be glad to help.

 

Thanks Lonny, I will remove the enumstreams folder and run IE a while and see what happens. I did not disable any startup apps but I Keep this machine pretty clean as with Win98 and a 400MZ pentium it does very well with 56K modem.
Also after posting last night I went to Panda software's free online virus scan and ran that. It did find 4 infected files with a "troj/*" virus. The definitions page said it was the about:blank redirect trouble. 1 file was a .DLL, 1 other was an HKEY entry in the registry. The last 2 were in a HJT log file. It said it had disinfected the first 2. We'll see...
Thanks again for the quick response, you should go to sleep earlier!
Dan

 

Hello Dan,

Read thru this thread, aside from some of the "fixes ", it will also lead to other links about this problem.

http://www.wilderssecurity.com/showthread.php?t=41251

Regards - Charles

 

WARNING Don't follow Charlesvar's link

Charlesvar, the link you provide takes me to a forum like this one. The problem is that the link provided in the posting on how to fix the problem :about:blank takes you to the "cool search" browser hijack.
Luckily I'm checking windows BBS from my work machine that is very well protected (government owned) and it was not infected.
Nice try!
Note the url is rem that it is deactivated and I cut and pasted it into the browser "open" bar.
Dan

 

Hello Dan,

As you write, that link is deactivated - anyone cutting and pasting is doing so after being warned. I did not send you for that. I sent you there because there are links and references for removal and because there are so many variations of this hijack, the more references the better.

Regards - Charles

 

No disrespect intended

Charlsvar, I just wanted to warn any as curious as me from cutting and pasteing. Looks like many people have a version of this. I have not been home to check my machine in question but after reading posts from this and other sites I will not be suprised if it's back.
I appreciate the fact that sites with volunteers such as yourself exist.
Thanks, Dan

 

It's Back!

Ok I surfed around a bit then closed IE and reopened IE and it took me to About:blank search page.
I had Spybot 1.2 but just installed 1.3 and ran the full scan. It found 3 cookies "Alexra ".
The Ad-Aware version is 6.181 and updated the search database.
I ran HJT with nothing running except HJT and below is the report from it.
I'm not going to check the R1, RO and O2 (BHO) boxes and select fix (although it kills me to leave that about:blank in there).
Thanks guys, I am confident you will help me fix this.
Dan

Logfile of HijackThis v1.98.2
Scan saved at 9:26:38 PM, on 9/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0A2E66A2-131E-11D9-9B4E-44451DAC4A2B} - C:\WINDOWS\SYSTEM\CKJOJ.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {952DFBC4-1315-11D9-9B4E-44451CF3D75D} - C:\WINDOWS\SYSTEM\CKJOJ.DLL
O18 - Filter: text/plain - {952DFBC4-1315-11D9-9B4E-44451CF3D75D} - C:\WINDOWS\SYSTEM\CKJOJ.DLL

 

Hello

Make a new text document, copy the bolded below into it then save and exit, named anything for now

regedit /e /a run-S-once.txt
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"

start run-S-once.txt
Our forum changed it slighly when we copy paste, edit out the space in CurrentVersion

Right click on it and choose rename, rename it to "run-S-once.bat ". include the quotes or windows may try to name it run-S-once.bat.txt
double click that bat and copy the text back here that should open.

also run this tool as described here
DllCompare : http://forums.subratam.org/index.php?showforum=29
and let us see the results please.

 

run-once did not work?

While renaming A box came up saying file names cannot have " "or a bunch of other marks in them. So I renamed it without the quotes and ran it here is what it said. I'm not sure if I was to run this from the "start/run" buttons.


C:\Antispyware>regedit /e /a run-S-once.txt

C:\Antispyware> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Ru
nServicesOnce "
Bad command or file name

C:\Antispyware>

Here is the log from dll compare. Thanks Lonny

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\ctlmd.dll Thu Sep 23 2004 10:47:32p A.... 57,344 56.00 K
________________________________________________

628 items found: 628 files, 0 directories.
Total of file sizes: 105,203,198 bytes 100.33 M

--------------------End log---------------------

 

run-S-once figured out

I figured out what you meant by "edit out the space" the DOS window for the batch file still says bad file name but a new .txt file is created in the directory where the .bat file is. It can open only in wordpad because it's too big for notepad. Do you want me to post the whole .txt file that the .bat created? It looks like it has stuff I've read about like:
[HKEY_LOCAL_MACHINE\Software\CLASSES\MIME\Database\Charset\windows-1251]
"Codepage "=dword:000004e3
"InternetEncoding "=dword:000004e3

[HKEY_LOCAL_MACHINE\Software\CLASSES\MIME\Database\Charset\windows-1252]
"Codepage "=dword:000004e4
"InternetEncoding "=dword:000004e4

[HKEY_LOCAL_MACHINE\Software\CLASSES\MIME\Database\Charset\windows-1253]
"Codepage "=dword:000004e5
"InternetEncoding "=dword:000004e5

[HKEY_LOCAL_MACHINE\Software\CLASSES\MIME\Database\Charset\windows-1255]
"Codepage "=dword:000004e7
"InternetEncoding "=dword:000004e7

[HKEY_LOCAL_MACHINE\Software\CLASSES\MIME\Database\Charset\windows-1256]
"Codepage "=dword:000004e8
"InternetEncoding "=dword:000004e8

This file is huge (5.97 MB) and may not be what your after.
Stay with me!, Dan

 

LOL well I wont be using that bat file again.

Download this Tool called Killbox (By Option^Explicit)
http://download.broadbandmedic.com/Killbox.exe

Close all Browsers and even open folders.


Start Killbox and Copy these paths one at a time into the program..
then click the Red [X] button to delete it.

C:\WINDOWS\SYSTEM\ctlmd.dll
Hit the red button
backspace out the previous file and path paste in the next
C:\WINDOWS\SYSTEM\CKJOJ.DLL

Exit Killbox Run Hiajckthis, scan, place a check next to these then hit
>fix checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0A2E66A2-131E-11D9-9B4E-44451DAC4A2B} - C:\WINDOWS\SYSTEM\CKJOJ.DLL
O18 - Filter: text/html - {952DFBC4-1315-11D9-9B4E-44451CF3D75D} - C:\WINDOWS\SYSTEM\CKJOJ.DLL
O18 - Filter: text/plain - {952DFBC4-1315-11D9-9B4E-44451CF3D75D} - C:\WINDOWS\SYSTEM\CKJOJ.DLL


Then restart the PC
Important Next Clear IE's cache via control panel internet options
[delete files] button and mark the popup to also delete offline content
Provided you have just restarted, delete the
contents of all your temp folders, as in.
C:\windows\temp folder and C:\temp if there

wait untill back here before making the next Log to post, so all your normal programs are running.

 

Ok, I'm at work now but will follow your instructions when I get home.
I assume when you say "wait untill back here before making the next Log to post, so all your normal programs are running" I should run a new HJT after all the fixes and a reboot. Do you want me to be online(back here) while I run the new log on HJT. Or can I make the log then connect to post. Remember I am on a dial-up.
Thanks, Dan

 

Basically yes, you need to do a bit of surfing, and have an IE window open before/when you do another scan. Sometimes the infection won't show back up, if it's going to, until after a bit of surfing.

 

As instructed

OK I ran Killbox in the default configuration (standard file kill).
The first file: C:\WINDOWS\SYSTEM\ctlmd.dll it said" this file does not seem to exist ". The second file was deleted.
When I ran HJT the files in your instructions were not there or had different endings. Like where your example ends in (WINDOWS\TEMP|sp.html) mine was (about navigation failure).
I fixed all the R1, R0,02,(these had alot of about: stuff in the end)BHO's and 018 entries (they looked the same as yours).
restarted and cleared the cache and temp folers/files also cookies.
I am going to run HJT while this reply window is open along with another browser window minimized.
Here it is:

Logfile of HijackThis v1.98.2
Scan saved at 6:35:22 PM, on 10/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

This is the whole thing honest,
Dan

 

Post a new log after surfing half a day of so,,Make it when here at the forums to, as opposed to a log made offline.

 

OK we'll give it a day or two. FYI the last log I posted was created while online.
Can you tell by the last log that we may have it fixed?
Should I run regedit and look at the HKEY current user to see if the IE start page is not "about:blank" ?
Thanks for continuing to stay with me on this Lonny!
Dan

 

No Stay out of regedit and dont fix with hijackthis when not suggested, we will need to see it if it returns in order to correctly clean the PC up.

Regards

 

Oh No! here it is again!

Well it took about 10 minutes and the I was directed to the dreaded search site. I minimized the search about: window and opened BBS in a new one.
Then opened HJT and ran a check made a log and am posting below.
I am willing to try a reformat and reinstall Win98 although I would have to save a ton of stuff on floppies (no burner).
Lonny, just let me know if I am imposing? I feel it's become more trouble for you than you bargained for.
Dan
PS:I did no fixes or changes to the registry.

Logfile of HijackThis v1.98.2
Scan saved at 11:05:54 PM, on 10/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C454C423-158A-11D9-9B4E-4445A1CE4D20} - C:\WINDOWS\SYSTEM\DEJCI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {C454C422-158A-11D9-9B4E-4445CE82E8BB} - C:\WINDOWS\SYSTEM\DEJCI.DLL
O18 - Filter: text/plain - {C454C422-158A-11D9-9B4E-4445CE82E8BB} - C:\WINDOWS\SYSTEM\DEJCI.DLL

 

Download win98fix.zip
http://downloads.subratam.org/Win98fix.zip
Dont use it just yet

download cwshredder.exe, again dont use it yet
http://radiosplace.com/
dirrect download >
https://ssl.perfora.net/tools.radiosplace.com/CWShredder.exe

Close all Browsers

Unzip Win98fix to a folder, run the FIX.BAT inside(doubleclick)

Run cwwshredder click fix not just scan.

Run Hijackthis and fix these items
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C454C423-158A-11D9-9B4E-4445A1CE4D20} - C:\WINDOWS\SYSTEM\DEJCI.DLL
O18 - Filter: text/html - {C454C422-158A-11D9-9B4E-4445CE82E8BB} - C:\WINDOWS\SYSTEM\DEJCI.DLL
O18 - Filter: text/plain - {C454C422-158A-11D9-9B4E-4445CE82E8BB} - C:\WINDOWS\SYSTEM\DEJCI.DLL
=========================

Restart the PC

Important Next Clear IE's cache via control panel internet options
[delete files] button and mark the popup to also delete offline content
Provided you have just restarted, delete the
contents of all your temp folders, as in.
C:\windows\temp folder and C:\temp if there

Install atleast a free antivirus program Update it then do a full system scan
Reboot again if it found anything. do not install more than one!!
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html


Post a new hijackthis log