Browser Hijacker about:blank

Discussion in 'adware, spyware & hijack cleaning' started by kingosh, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Hi all,

    I've been plagued by the about:blank hijacker for some time now and have tried all sorts of programs to get rid of it. I actually managed (or thought I did) to eliminate the problem using about:buster but it came back this morning : (

    Can someone please have a look at my hijackthis log and help me get rid of it once and for all?


    Logfile of HijackThis v1.97.7
    Scan saved at 13:52:20, on 12/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\A2\A2GUARD.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37995.11875
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
     
  2. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Bump...
     
  3. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Can anyone help me? Pretty please with sugar on top
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello kingosh,

    I would first like you to download Adaware if you don't already have it (don't run it yet, but I would like you to open it and update the reference file and then close it.)

    Close all windows except HijackThis and check these lines then click on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


    Reboot and scan with AdAware (the first program you downloaded)

    Reboot.

    Download: "StartDreck", from here:
    http://members.blackbox.net/hp_link...ks/21/nikolaus.rameis/download/startdreck.htm

    Unzip to its own folder and start the program,

    Press 'Config'
    Press 'Unmark All'

    Check the following boxes only:
    Registry -> Run Keys
    System/drivers> Running processes
    Press 'Ok'

    Press 'Save' and select the location to save the log file
    (default is the same folder as the application)

    Post the log in this thread along with a new HJT log.
     
  5. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Hi Taz71498,

    Thanks for the help.

    Did what you said and here are my new logs.

    StartDreck:

    StartDreck (build 2.1.5 public BETA) - 2004-07-25 @ 19:39:38
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *a²="C:\Program Files\a2\a2guard.exe"
    »RunOnce
    »Default User
    »Run
    *a²="C:\Program Files\a2\a2guard.exe"
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *ICSDCLT=C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    *HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb04.exe
    *LoadQM=loadqm.exe
    *InstantAccess=C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    *RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    *P2P NETWORKING=C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    *ashMaiSv=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    *TrojanScanner=C:\Program Files\Trojan Remover\Trjscan.exe
    *WinPatrol="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    *THGuard="C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
    *Installed=1
    *Installed=1
    *NoChange=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    *avast!=C:\Program Files\Alwil Software\Avast4\ashServ.exe
    »RunServicesOnce
    **qoc=rundll32 C:\WINDOWS\SYSTEM\CTLO.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FF0F6F47=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFFAC9B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFA483=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FFFF92D3=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFE1C53=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE0F6B=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    *FFFE167F=C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    *FFFE1F63=C:\WINDOWS\RUNDLL32.EXE
    *FFFC119F=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFCBCBB=C:\WINDOWS\SYSTEM\RPCSS.EXE
    *FFFBAA0F=C:\WINDOWS\EXPLORER.EXE
    *FFF92FFF=C:\WINDOWS\TASKMON.EXE
    *FFF916C7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFF8C273=C:\WINDOWS\RUNDLL32.EXE
    *FFF749EF=C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    *FFF94BB3=C:\WINDOWS\LOADQM.EXE
    *FFF9F62B=C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
    *FFF75117=C:\WINDOWS\SYSTEM\STIMON.EXE
    *FFF75803=C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    *FFF76AFB=C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    *FFF772AF=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    *FFF60423=C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
    *FFF9D367=C:\PROGRAM FILES\A2\A2GUARD.EXE
    *FFF894EB=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    *FFF9B8AB=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFF41293=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    *FFFA3A6B=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
    »Application specific


    Hijack This:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:42:33, on 25/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
    C:\PROGRAM FILES\A2\A2GUARD.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.constructireland.ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37995.11875
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Download: "Win98Fix.zip" from here:
    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Unzip to its own folder.

    Open Folder and double click on RunFix.reg file.
    Hit 'Yes' to merge it into your registry.
    Restart your computer.

    The bad file should now be visible so you can delete it.
    Browse to C:\WINDOWS\SYSTEM\CTLO.DLL.
    Right click select 'Properties' and remove any 'Read only' protection.
    Right click again and select 'Delete'.

    Now, run Adaware again. Reboot and post a new log here.
     
  7. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    HI Taz,

    downloaded that win98fix and found the CTLO.DLL.

    Got rid of it , rebooted, ran adaware and here are the adaware and hijackthis logs

    Logfile of HijackThis v1.98.0
    Scan saved at 00:03:48, on 27/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
    C:\PROGRAM FILES\A2\A2GUARD.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\LATEST HIJACKTHIS\LATEST HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.constructireland.ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :26 July 2004 23:54:33
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R334 24.07.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file


    26-07-04 23:54:33 - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [kernel32.dll]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4279177807
    Threads : 10
    Priority : High
    FileSize : 460 KB
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    Copyright : Copyright (C) Microsoft Corp. 1991-1999
    CompanyName : Microsoft Corporation
    FileDescription : Win32 Kernel core component
    InternalName : KERNEL32
    OriginalFilename : KERNEL32.DLL
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:2 [msgsrv32.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294955411
    Threads : 1
    Priority : Normal
    FileSize : 11 KB
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    Copyright : Copyright (C) Microsoft Corp. 1992-1998
    CompanyName : Microsoft Corporation
    FileDescription : Windows 32-bit VxD Message Server
    InternalName : MSGSRV32
    OriginalFilename : MSGSRV32.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:3 [spool32.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294957451
    Threads : 2
    Priority : Normal
    FileSize : 44 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
    CompanyName : Microsoft Corporation
    FileDescription : Spooler Sub System Process
    InternalName : spool32
    OriginalFilename : spool32.exe
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:4 [mprexe.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294963191
    Threads : 1
    Priority : Normal
    FileSize : 28 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1993-1998
    CompanyName : Microsoft Corporation
    FileDescription : WIN32 Network Interface Service Process
    InternalName : MPREXE
    OriginalFilename : MPREXE.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:5 [mstask.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294837383
    Threads : 3
    Priority : Normal
    FileSize : 109 KB
    FileVersion : 4.71.1972.1
    ProductVersion : 4.71.1972.1
    Copyright : Copyright (C) Microsoft Corp. 2000
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    OriginalFilename : mstask.exe
    ProductName : Microsoft
    Created on : 18/06/01 11:33:20
    Last accessed : 25/07/04 23:00:00
    Last modified : 18/06/01 11:33:20

    #:6 [ssdpsrv.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294842123
    Threads : 6
    Priority : Normal
    FileSize : 55 KB
    FileVersion : 4.90.3003.0
    ProductVersion : 4.90.3003.0
    Copyright : Copyright (C) Microsoft Corp. 1981-2000
    CompanyName : Microsoft Corporation
    FileDescription : SSDP Service on Windows Millennium
    InternalName : ssdpsrv.exe
    OriginalFilename : ssdpsrv.exe
    ProductName : Microsoft(R) Windows(R) Millennium Operating System
    Created on : 07/09/03 16:12:17
    Last accessed : 25/07/04 23:00:00
    Last modified : 25/03/02 18:51:04

    #:7 [ashserv.exe]
    FilePath : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\
    ProcessID : 4294941543
    Threads : 24
    Priority : Normal
    FileSize : 76 KB
    FileVersion : 4, 1, 389, 0
    ProductVersion : 4, 1, 0, 0
    Copyright : Copyright (c) 2003 ALWIL Software
    CompanyName : Copyright (c) 2003 ALWIL Software
    FileDescription : avast! antivirus service
    InternalName : aswServ
    OriginalFilename : aswServ.exe
    ProductName : avast! Antivirus
    Created on : 02/07/04 13:43:04
    Last accessed : 25/07/04 23:00:00
    Last modified : 13/06/04 10:40:46

    #:8 [mmtask.tsk]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294831819
    Threads : 1
    Priority : Normal
    FileSize : 1 KB
    FileVersion : 4.03.1998
    ProductVersion : 4.03.1998
    Copyright : Copyright
    CompanyName : Microsoft Corporation
    FileDescription : Multimedia background task support module
    InternalName : mmtask.tsk
    OriginalFilename : mmtask.tsk
    ProductName : Microsoft Windows
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:9 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294834703
    Threads : 20
    Priority : Normal
    FileSize : 176 KB
    FileVersion : 4.72.3110.1
    ProductVersion : 4.72.3110.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1997
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows NT(R) Operating System
    Created on : 23/04/99 21:22:00
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:10 [rpcss.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294731491
    Threads : 5
    Priority : Normal
    FileSize : 20 KB
    FileVersion : 4.71.2900
    ProductVersion : 4.71.2900
    Copyright : Copyright (C) Microsoft Corp. 1981-1998
    CompanyName : Microsoft Corporation
    FileDescription : Distributed COM Services
    InternalName : rpcss.exe
    OriginalFilename : rpcss.exe
    ProductName : Microsoft(R) Windows NT(TM) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:11 [taskmon.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294763703
    Threads : 1
    Priority : Normal
    FileSize : 28 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1998
    CompanyName : Microsoft Corporation
    FileDescription : Task Monitor
    InternalName : TaskMon
    OriginalFilename : TASKMON.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:12 [systray.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294701139
    Threads : 2
    Priority : Normal
    FileSize : 32 KB
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    Copyright : Copyright (C) Microsoft Corp. 1993-1998
    CompanyName : Microsoft Corporation
    FileDescription : System Tray Applet
    InternalName : SYSTRAY
    OriginalFilename : SYSTRAY.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:13 [rundll32.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294685355
    Threads : 8
    Priority : Normal
    FileSize : 24 KB
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    Copyright : Copyright (C) Microsoft Corp. 1991-1998
    CompanyName : Microsoft Corporation
    FileDescription : Run a DLL as an App
    InternalName : rundll
    OriginalFilename : RUNDLL.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 23/04/99 21:22:00
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:14 [hpztsb04.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294688611
    Threads : 1
    Priority : Normal
    FileSize : 192 KB
    FileVersion : 2,78,0,0
    ProductVersion : 2,78,0,0
    Copyright : Copyright (c) Hewlett-Packard Company 1999-2001
    CompanyName : HP
    ProductName : HP DeskJet
    Created on : 29/09/03 10:01:37
    Last accessed : 25/07/04 23:00:00
    Last modified : 13/08/01 15:44:00

    #:15 [loadqm.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 4294593611
    Threads : 3
    Priority : Normal
    FileSize : 7 KB
    FileVersion : 5.4.1103.3
    ProductVersion : 5.4.1103.3
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft QMgr
    InternalName : LOADQM.EXE
    OriginalFilename : LOADQM.EXE
    ProductName : QMgr Loader
    Created on : 10/02/04 09:57:37
    Last accessed : 25/07/04 23:00:00
    Last modified : 03/05/00 16:23:10

    #:16 [instantaccess.exe]
    FilePath : C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\
    ProcessID : 4294675675
    Threads : 1
    Priority : Normal
    FileSize : 37 KB
    Created on : 17/10/03 14:55:18
    Last accessed : 25/07/04 23:00:00
    Last modified : 06/04/00 12:26:34

    #:17 [stimon.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294623679
    Threads : 3
    Priority : Normal
    FileSize : 112 KB
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    Copyright : Copyright (C) Microsoft Corp. 1996-1998
    CompanyName : Microsoft Corporation
    FileDescription : Still Image Devices Monitor
    InternalName : STIMON
    OriginalFilename : STIMON.EXE
    ProductName : Microsoft(R) Windows(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:18 [ashmaisv.exe]
    FilePath : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\
    ProcessID : 4294629839
    Threads : 6
    Priority : Normal
    FileSize : 196 KB
    FileVersion : 4, 1, 415, 0
    ProductVersion : 4, 1, 0, 0
    Copyright : Copyright (c) 2003 ALWIL Software
    CompanyName : ALWIL Software
    FileDescription : avast! e-Mail Scanner Service
    InternalName : AvMaiSrv
    OriginalFilename : AvMaiSrv.exe
    ProductName : avast! Antivirus
    Created on : 02/07/04 13:43:03
    Last accessed : 25/07/04 23:00:00
    Last modified : 13/06/04 10:40:32

    #:19 [winpatrol.exe]
    FilePath : C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\
    ProcessID : 4294617347
    Threads : 1
    Priority : Normal
    FileSize : 188 KB
    FileVersion : 7, 0, 1, 0
    ProductVersion : 7.0.1.0
    Copyright : Copyright
    CompanyName : BillP Studios
    FileDescription : WinPatrol By BillP Studios
    InternalName : WinPatrol
    OriginalFilename : Scotty
    ProductName : WinPatrol
    Created on : 08/07/04 13:39:31
    Last accessed : 25/07/04 23:00:00
    Last modified : 06/05/04 13:17:38

    #:20 [thguard.exe]
    FilePath : C:\PROGRAM FILES\TROJANHUNTER 3.9\
    ProcessID : 4294532215
    Threads : 3
    Priority : Normal
    FileSize : 1042 KB
    FileVersion : 3.8.0.272
    ProductVersion : 1.0.0.0
    Copyright : Mischel Internet Security
    CompanyName : Mischel Internet Security
    FileDescription : TrojanHunter Guard
    OriginalFilename : THGuard.exe
    ProductName : TrojanHunter Guard
    Created on : 25/02/04 00:40:08
    Last accessed : 25/07/04 23:00:00
    Last modified : 25/02/04 00:40:08

    #:21 [a2guard.exe]
    FilePath : C:\PROGRAM FILES\A2\
    ProcessID : 4294511543
    Threads : 2
    Priority : Normal
    FileSize : 608 KB
    Created on : 13/12/03 15:01:19
    Last accessed : 25/07/04 23:00:00
    Last modified : 13/12/03 15:01:20

    #:22 [sgmain.exe]
    FilePath : C:\PROGRAM FILES\SPYWAREGUARD\
    ProcessID : 4294541883
    Threads : 1
    Priority : Normal
    FileSize : 352 KB
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    Copyright : Copyright (C) 2002-2003 Javacool Software LLC
    CompanyName : Copyright (C) 2002-2003 Javacool Software LLC
    FileDescription : SpywareGuard
    InternalName : sgmain
    OriginalFilename : sgmain.exe
    ProductName : SpywareGuard
    Created on : 29/08/03 18:05:35
    Last accessed : 25/07/04 23:00:00
    Last modified : 29/08/03 18:05:36

    #:23 [wmiexe.exe]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294543607
    Threads : 3
    Priority : Normal
    FileSize : 16 KB
    FileVersion : 5.00.1755.1
    ProductVersion : 5.00.1755.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1998
    CompanyName : Microsoft Corporation
    FileDescription : WMI service exe housing
    InternalName : wmiexe
    OriginalFilename : wmiexe.exe
    ProductName : Microsoft(R) Windows NT(R) Operating System
    Created on : 01/01/01
    Last accessed : 25/07/04 23:00:00
    Last modified : 23/04/99 21:22:00

    #:24 [sgbhp.exe]
    FilePath : C:\PROGRAM FILES\SPYWAREGUARD\
    ProcessID : 4294432191
    Threads : 2
    Priority : Normal
    FileSize : 228 KB
    FileVersion : 2.02.0001
    ProductVersion : 2.02.0001
    Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
    CompanyName : Copyright (C) 2002-2003 Javacool Software LLC.
    FileDescription : SG Browser Hijacking Protection
    InternalName : sgbhp
    OriginalFilename : sgbhp.exe
    ProductName : SG Browser Hijacking Protection
    Created on : 29/08/03 10:14:56
    Last accessed : 25/07/04 23:00:00
    Last modified : 29/08/03 10:14:58

    #:25 [ad-aware.exe]
    FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
    ProcessID : 4294341167
    Threads : 2
    Priority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 27/02/04 10:34:34
    Last accessed : 25/07/04 23:00:00
    Last modified : 12/07/03 21:00:20

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "file://C:\WINDOWS\TEMP\sp.html"
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Search
    Value : SearchAssistant
    Data : "file://C:\WINDOWS\TEMP\sp.html"

    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "file://C:\WINDOWS\TEMP\sp.html"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Search
    Value : SearchAssistant
    Data : "file://C:\WINDOWS\TEMP\sp.html"

    Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "file://C:\WINDOWS\TEMP\sp.html"
    Rootkey : HKEY_USERS
    Object : .Default\Software\Microsoft\Internet Explorer\Search
    Value : SearchAssistant
    Data : "file://C:\WINDOWS\TEMP\sp.html"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 3


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : File
    Data : jpkf.dll
    Object : C:\WINDOWS\SYSTEM\
    FileSize : 30 KB
    Created on : 26/07/04 22:42:48
    Last accessed : 25/07/04 23:00:00
    Last modified : 26/07/04 22:42:50



    CoolWebSearch Object recognized!
    Type : File
    Data : apfaba.dll
    Object : C:\WINDOWS\SYSTEM\
    FileSize : 30 KB
    Created on : 26/07/04 19:19:19
    Last accessed : 25/07/04 23:00:00
    Last modified : 26/07/04 19:19:20



    CoolWebSearch Object recognized!
    Type : File
    Data : hkkeba.dll
    Object : C:\WINDOWS\SYSTEM\
    FileSize : 30 KB
    Created on : 26/07/04 19:40:39
    Last accessed : 25/07/04 23:00:00
    Last modified : 26/07/04 19:40:40



    CoolWebSearch Object recognized!
    Type : File
    Data : jcieba.dll
    Object : C:\WINDOWS\SYSTEM\
    FileSize : 30 KB
    Created on : 26/07/04 19:43:28
    Last accessed : 25/07/04 23:00:00
    Last modified : 26/07/04 19:43:30




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    CoolWebSearch Object recognized!
    Type : File
    Data : sp.html
    Object : c:\windows\temp\
    FileSize : 7 KB
    Created on : 26/07/04 22:42:49
    Last accessed : 25/07/04 23:00:00
    Last modified : 26/07/04 22:45:34



    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 4
    Objects found so far: 11


    Reanalyzing scan result
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    No objects have been removed from the result list.


    23:58:45 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:04:11:340
    Objects scanned :40486
    Objects identified :11
    Objects ignored :0
    New objects :11

    Hopefully we are getting somewhere : )

    cheers for the help

    Kingosh
     
  8. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
  9. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Hi

    Looks good so far. I've restarted a few times and it hasn't come back, as you can see from my hijackthis log below. One thing that is quite annoying is that I still can't access various internet sites eg Google, Yahoo, Liverpool Website and more which I figured would be righted when the hidden dll was deleted. Any idea why I can't access them but I can access other websites?

    Cheers for all the help, hopefully it's gone for good now.

    Kingosh

    Logfile of HijackThis v1.98.0
    Scan saved at 15:26:04, on 28/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
    C:\PROGRAM FILES\A2\A2GUARD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\HIJACKTHIS\LATEST HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.constructireland.ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunOnce: [VcCleanUp.exe] C:\WINDOWS\TEMP\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LIVEREG\ /RemoveAll
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi kingosh,

    Can you try this. Find the file C:\WINDOWS\hosts and rename it to hosts.bak
    Then try reaching those sites again.

    Regards,

    Pieter
     
  11. kingosh

    kingosh Registered Member

    Joined:
    Jul 12, 2004
    Posts:
    8
    Hi,

    You guys sure know your stuff. Thanks Pietar, I found the hosts file and renamed it and it worked!

    Everything seems back to normal now, thanks for all the help, I'd still be pulling my hair out otherwise :)

    A grateful Kingosh
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Glad we could help. If you were not doing anything usefull with your hosts file, this is a workable permanent solution.
    If you would like to learn some more about how it works and how you can use it for protection read: http://accs-net.com/hosts/what_is_hosts.html

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.