Another varient of about:blank

Thanks Lonny

OK I'm at work but will do as instructed when I get home. I have already installed CWShredder but will check for updates before running.
What free Anti Virus do you recommend?
Thanks again
You are converting me into a contributing member!
Dan

 

Its up to version 1.59.1 , just download another copy. the update from within doesnt always work.

 

latest HJT Log

I did every thing. when I ran win98fix (fix.bat) it said to reboot but I waited till I ran cwshredder and the HJK I fixed the items you said except the last 3 were not present (02-BHO, 018-filter & 018-filter). then I ran fix.bat again (to be sure) then rebooted.
Cleared cache and temp files, installed avg virus scan and it found "ctlmd.dll" in the win\sys directory (I have removed this file about 4 times now).
Rebooted and ran AVG again and all was clear. I have this posting window open and another browser window minimized and will now make a new HJT log and post below for your inspection.

Logfile of HijackThis v1.98.2
Scan saved at 8:58:03 PM, on 10/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

The virus scan I downloaded configured itself to run at start (I saw it scan the registry) and to run in the background in the taskbar by the clock. I assume this is how you would recommend me to leave it.
Thanks again, I hope we get this!
Dan

 

Ensure you check for updates other than that its probaly best to leave the other setting alone, there arent many, and do a manual Full scan about weekly,(and an online when things act up) becouse no one av can handle everything.

Now a firewall
Zone alarm, Kerio and sygate are popular, interested ?

If possible can you send me those files, zipped and passworded ?
if avg got them never mind , if however theres a copy in the trashbin.
Nothing new here, But id like to see it.

 

Thanks for the help

Sorry Lonny, I emptied the "vault" right away. I'm not sure I would feel secure messing around zipping a virus to e-mail. My ISP e-mail scan probably scans outgoing also and you would get a deactivated version anyway.
What is your opinion about firewalls? There is a quote by Utah Phillips that sums up my attitude toward corporate America and antivirus companies:
"I am fundamentally alienated from the entire institutional structure of society "
But I may "bend" a bit to avoid this hassle again!
Dan

 

Zone alarm iseams best for first timers, Kerio is also easy to setup, some of our best Helpers here recommend and prefer it, I use sygate 5.5, it requires a little tinkering. Meaning in applications unchecking server rights, when ever a new app is added to the list.

 

So Far So Good

Lonny thanks for the advice, I'll check out Kerio.
Since this began I have downloaded and installed:
Aboutbuster, CWShredder, Killbox, DLL Compare, Regisrar Lite, Hijack this and Hosts.zip. I also have spybot and ad-aware 6.
I see reasons for keeping Spybot, Ad-Aware and Hijack this. Can I uninstall the rest and delete the original zipfiles of them?
Also I have always used www.dogpile.com as my prefered search engine but the Hosts file I downloaded (Idea from another post to reduce redirects) contains dogpile and I get a "cannot find" message when I try to go there. It has the 127.0.1.0.1 in front and I know this is stopping it and it is suposed to. My question is: Has dogpile meta search been found to load malware or spyware and has resulted in its lising in the hosts file I put in windows?
Also I just ran a new HJT log for your inspection.
If we have succeded in ridding my machine I cannot thank you enough for your patience with me on this issue.
Dan

Logfile of HijackThis v1.98.2
Scan saved at 11:44:06 PM, on 10/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

Hello

Im unsure of the details on dogpile, lets see what our other forum member's have to say,
But i suggest if a quality hosts file block's you from there its for good reason.

Yes delete Win98fix.zip and its files ,Aboutbuster, CWShredder, Killbox,
DLL Compare,Hosts.zip and uninstall reglite.

Post a new log in a few days to.

 

So far so good!

Lonny, I have not had any redirects or start page hijacks since my las post 7 days ago. I will post today's HJT log below, of which I have a question.
What are the last three entries about (the 016-DPF ones).
I see one is from panda software. I did do an online virus scan with them while we were working on this fix so I am going to assume they are harmless.
Also what exactly is a BHO and are they always DLLs?
Thank you again Lonny, you rock!
Dan

Logfile of HijackThis v1.98.2
Scan saved at 8:02:19 PM, on 10/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.dnr.state.wi.us
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

Hi
Your log looks great
Those 016's dpf's are downloaded programs files, active x plugings and controls. you can take a look at them, probably have at some time, > internet options > settings > view objects.
BHO is short for browser helper object, Dll, dynamic link library .
are they always a dll. yes at least one dll most have other files involved to.