About:blank

HI NOADFEAR: Hi tried your idea with the RUNME item and this is the log...hope this helps:

Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3510.2300 Common Dialogs DLL
DXTMSFT.DLL 35cb0000 364544

...........

edit note: unneeded log information removed to shorten and de-clutter the thread. Newt

 

Hello

Its been awhile since you posted, we need to see a Log from the brand new version of Hijackthis , and did you fallow my advice here
http://www.windowsbbs.com/showpost.php?p=171882&postcount=5

theres been a new version of that tool to.
Both can be found here
http://radiosplace.com/ has current version cwsredder and Hijackthis.

 

Lonny, i shall scan using both hi-jack this and CWS (latest versions) then post my logs. Sorry about the long delay...been off work ill!

Many thanks,
G

 

Ad-Aware log file

Here is the log file i promised...hopefully someone can see sense in it,
Kind regards,

Reference file loaded:
Reference Number : 01R337 11.08.2004
Internal build : 271
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1323662 Bytes
Signature data size : 1302518 Bytes
Reference data size : 21080 Bytes
Signatures total : 28819
Target categories : 10
Target families : 530

.........................

edit note: unneeded log information removed to shorten and de-clutter the thread. Newt

 

Did I ask for an Ad-aware log , NO

but you should get get there new version
http://www.windowsbbs.com/showpost.php?p=159029&postcount=2

 

Spybot S&d

Does this make any sense to you Lonny? I ran a scan and this was what Spybot gave me:-

TwainTech: Data (File, fixed)
C:\WINDOWS\INF\TWAINTEC.INF

CoolWWWSearch: Library (File, fixed)
C:\WINDOWS\SYSTEM\fgjj.dll

.......

edit note: unneeded log information removed to shorten and de-clutter the thread. Newt

 

Hi gerdcurli

Please download the latest version of HijackThis.exe (1.98.2) from here. Create a new folder named HJT (in C: or My Documents or even the Desktop) and save it to that folder. Open and click scan, then save log. Once saved it will open in notepad. From the edit menu select all, then copy and paste the log here. Please describe any problems you may be having also.

 

Hjt

HI DAVE,
Here is the log you requested from HJT. Hope this help and gets rid of this b**tardn' evil!

Logfile of HijackThis v1.98.2
Scan saved at 18:06:19, on 19/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {2621F626-F1EE-11D8-AAD8-52549E9D7B63} - C:\WINDOWS\SYSTEM\LIAMD.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O18 - Filter: text/html - {2621F625-F1EE-11D8-AAD8-52546E4FE514} - C:\WINDOWS\SYSTEM\LIAMD.DLL
O18 - Filter: text/plain - {2621F625-F1EE-11D8-AAD8-52546E4FE514} - C:\WINDOWS\SYSTEM\LIAMD.DLL

 

Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder. That will keep backup files from scattering all over the desktop.

Download CWShredder.exe from here. Save it to your desktop.

Check for updates to Ad-aware.

Then scan again with HJT and place a check next to the following entries and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2621F626-F1EE-11D8-AAD8-52549E9D7B63} - C:\WINDOWS\SYSTEM\LIAMD.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O18 - Filter: text/html - {2621F625-F1EE-11D8-AAD8-52546E4FE514} - C:\WINDOWS\SYSTEM\LIAMD.DLL
O18 - Filter: text/plain - {2621F625-F1EE-11D8-AAD8-52546E4FE514} - C:\WINDOWS\SYSTEM\LIAMD.DLL

Go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

You may need to show hidden files and folders.

Open CWShredder and click fix.
Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Applog, select all and delete.
Open Ad-aware and run. Delete all it finds.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the box to 'enable start menu' in msconfig, recheck any items on the startup tab that you may have unchecked, and OK out. Reboot.

Back in Windows, run another HijackThis scan and post the log.

 

Hjt

Dave, many thanks for your swift responses to my requests...here is the latest log from HJT:-

Logfile of HijackThis v1.98.2
Scan saved at 11:45:24, on 20/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

 

Log looks clean, but there is at least one important startup entry missing. Copy the contents of the quote box below to notepad (include the quotes). Edit out the space in CurrentVersion (between r and e), close and save (to the desktop is fine) as fixscanregw.reg. Make sure you change the type field to All Files (*.*). Now double click the new reg file. You will receive a prompt similar to: "Do you wish to merge the information into the registry?" Click yes and wait for the message "Merged Successfully ".
Reboot.

Are you posting a complete log? Looks very incomplete. Have you put some entries on the HJT exclusion list? I would like to see a complete log if the above isn't.

 

Latest Hjt Log

Hi Dave here is the latest log yoiu Requested,
Regards,
Gerd...

Logfile of HijackThis v1.98.2
Scan saved at 05:22:07, on 22/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A3170FA2-F2F0-11D8-AAD8-5254131EC2E3} - C:\WINDOWS\SYSTEM\JJLIA.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O18 - Filter: text/html - {A3170FA1-F2F0-11D8-AAD8-5254E3CC5C94} - C:\WINDOWS\SYSTEM\JJLIA.DLL
O18 - Filter: text/plain - {A3170FA1-F2F0-11D8-AAD8-5254E3CC5C94} - C:\WINDOWS\SYSTEM\JJLIA.DLL

 

Download CWShredder from here. Save it to your desktop.

Update Ad-aware.

Scan again with HijackThis and place a check next to the following entries. Close all other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A3170FA2-F2F0-11D8-AAD8-5254131EC2E3} - C:\WINDOWS\SYSTEM\JJLIA.DLL
O18 - Filter: text/html - {A3170FA1-F2F0-11D8-AAD8-5254E3CC5C94} - C:\WINDOWS\SYSTEM\JJLIA.DLL
O18 - Filter: text/plain - {A3170FA1-F2F0-11D8-AAD8-5254E3CC5C94} - C:\WINDOWS\SYSTEM\JJLIA.DLL


Go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

Open CWShredder and click fix.
Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Applog, select all and delete.
Open Ad-aware and run a full system scan. Delete all it finds.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the box to 'enable start menu' in msconfig and OK out. Reboot.

Back in Windows, run another HijackThis scan and post the log.

 

Adaware

Dave, Problem, every time i try to run ad-aware, it's telling me that I've performed an illegal operation.

 

If you still have the downloaded setup file (provided it's the latest build, Ad-aware SE), uninstall and run the setup again, update and run a full scan. Otherwise just download it again and uninstall/reinstall/update.

Did you do the registry merge for scanreg?

 

Adaware

Dave, I think I'm being hindered by the whole Adaware thing in my task of trying to remove about:blank!!
Here is the fault report after the PC tells me I've performed an illegal operation:-
AD-AWARE caused an exception eedfadeH in module <unknown> at 0000:00000000.
Registers:
EAX=00000000 CS=0000 EIP=00000000 EFLGS=00000000
EBX=00000000 SS=0000 ESP=00000000 EBP=00000000
ECX=00000000 DS=0000 ESI=00000000 FS=0000
EDX=00000000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:

Stack dump:

 

OK, let's see what we can find with this.

1. Please download dllcompare (A scanner to locate hidden DLL files) from either of the following locations:
   • Broadbandmedic.com
   • brinkster.com
2. When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan your entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories "
3. Click on "Locate.com" and allow the scan to complete.
4. After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
5. If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found ".
6. When prompted to "View Log File" click on "Yes ".
7. Notepad will open with the log file contents.
8. In Notepad, click on "Edit>Select All" then "Edit>Copy" and post the contents.

There are no functions in the program to alter the O/S as it is just a scanner at this point.

 

The Scan, Dave!

Dave, here is the result from that scan mate. Hope this helps.
G.

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\comi.dll Sun May 2 2004 3:28:30a A.... 57,344 56.00 K
________________________________________________

694 items found: 694 files, 0 directories.
Total of file sizes: 129,499,985 bytes 123.50 M

--------------------End log---------------------

 

Yes, that helps. Now, so that I know if another tool will be needed, please do the following.

Go to start>run and paste the following command, including the quotes. There will be a space between the r and e in CurrentVersion that you need to take out, then hit enter.

regedit.exe /e c:\RunOnce.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce "

Open My Computer, then Local Disk C: and look for the RunOnce.txt file. Open and copy/paste the contents here.

 

RUN-ONCE Contents

Dave, this is all it says mate, G

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"*ox "= "rundll32 C:\\WINDOWS\\SYSTEM\\COMI.DLL,StreamingDeviceSetup "