[solved]Need help with about:blank Hijack

Discussion in 'adware, spyware & hijack cleaning' started by Lasuar, Jul 20, 2004.

Thread Status:
Not open for further replies.
  1. Lasuar

    Lasuar Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    5
    Hello all,
    Been having trouble with the about:blank hijack can not get rid of it and would appreciate any help.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:59:49 AM, on 7/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\DESKTOP\DRIVERS\HJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {DC6C0063-DA1A-11D8-A76A-000412DE9CA3} - C:\WINDOWS\SYSTEM\GEBOECA.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37982.4352662037
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


    Log file from PV
    ----------------

    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    ACTXPRXY.DLL 703d0000 110592 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 6.00.2800.1106 ActiveX Interface Marshaling Library
    RNR20.DLL 783c0000 61440 C:\WINDOWS\SYSTEM\RNR20.DLL 4.10.2222 Windows Socket2 NameSpace DLL
    RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
    SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
    MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
    SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
    MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
    MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
    TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows(TM) Telephony API Client DLL
    NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
    NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    MSOHEV.DLL 32520000 73728 C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOHEV.DLL 10.0.2609 Microsoft Office XP component
    IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.10.1998 Win32 IMM32 core component
    MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
    JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.8513 Microsoft (r) JScript
    MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2800.1106 Multi Language Support DLL
    SHDOCLC.DLL 2b60000 540672 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 6.00.2800.1106 Shell Doc Object and Control Library
    MSHTML.DLL 63580000 2818048 C:\WINDOWS\SYSTEM\MSHTML.DLL 6.00.2800.1400 Microsoft (R) HTML Viewer
    GEBOECA.DLL 2340000 45056 C:\WINDOWS\SYSTEM\GEBOECA.DLL
    MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI
    NSEXTINT.DLL 492e0000 49152 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\1033\NSEXTINT.DLL 10.145.3722.0 Microsoft SharePoint Portal Server
    MSONSEXT.DLL 49090000 1429504 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\MSONSEXT.DLL 10.145.3810.0 Microsoft Web Folders
    MSI.DLL 4fa0000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
    HLINK.DLL 703a0000 81920 C:\WINDOWS\SYSTEM\HLINK.DLL 5.0.4513 Microsoft Hyperlink Library
    URLMON.DLL 1a400000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL 6.00.2800.1400 OLE32 Extensions for Win32
    PKMWS.DLL 49980000 86016 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\PKMWS.DLL 10.145.3722.0 Microsoft SharePoint Portal Server Windows API Stub Library
    SHFOLDER.DLL 71930000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 6.00.2800.1106 Shell Folder Service
    BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL 6.00.2800.1106 Shell Browser UI Library
    BROWSEUI.DLL 71500000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 6.00.2800.1400 Shell Browser UI Library
    NVIEW.DLL 10000000 688128 C:\WINDOWS\SYSTEM\NVIEW.DLL 4.13.01.4109 NVIDIA nView Desktop and Window Manager 41.09
    POWRPROF.DLL 78950000 24576 C:\WINDOWS\SYSTEM\POWRPROF.DLL 5.00.0910.1900 Power Profile Helper DLL
    SETUPAPI.DLL 77ea0000 421888 C:\WINDOWS\SYSTEM\SETUPAPI.DLL 5.00.1671.1 Windows NT Setup API
    MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
    CFGMGR32.DLL 7f810000 45056 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.10.1998 Configuration Manager Win32 Interface
    WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.10.1998 Win32 WINSPOOL core component
    COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3510.2300 Common Dialogs DLL
    LZ32.DLL bfe60000 24576 C:\WINDOWS\SYSTEM\LZ32.DLL 4.10.1998 Win32 LZ32 core component
    DDRAW.DLL baaa0000 389120 C:\WINDOWS\SYSTEM\DDRAW.DLL 4.09.00.0900 Microsoft DirectDraw
    NTDLL.DLL bfee0000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.10.1998 Win32 NTDLL core component
    OLEPRO32.DLL 5f300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4518
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
    WDMJBN.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\WDMJBN.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
    WININET.DLL 63000000 614400 C:\WINDOWS\SYSTEM\WININET.DLL 6.00.2800.1405 Internet Extensions for Win32
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.1878.12 Crypto API32
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
    MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL 5.131.1877.3 Microsoft Trust ASN APIs
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
    IEXPLORE.EXE 400000 102400 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer
    SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 6.00.2800.1400 Shell Doc Object and Control Library
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
    SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 6.00.2800.1400 Shell Light-weight Utility Library
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
    MSVCRT.DLL 78000000 278528 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.00.8797.0 Microsoft (R) C Runtime Library
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component


    thanks alot! any help to get rid of this thing would be wonderful!

    Lasuar
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re: Need help with about:blank Hijack

    Download from above link:
    -StartDreck
    -Win98.fix

    First do this:
    Go to start/run/type:
    msinfo32
    *Expand: "Software Environment"
    *Expand: "System hooks"
    File may be listed As:

    -Hook type: Window Procedure
    -Hooked by: XXXXX.dll
    -Application: RUNDLL32.EXE
    -Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
    -Application path: C:\WINDOWS\RUNDLL32.EXE

    Where XXXXX..dll is the file name.

    If So hilite And use edit>copy and post here

    Then, Unzip and run StartDreck.exe
    Hit: -config
    hit: -Unmark all
    Check these boxes only:
    *Registry->run keys
    *Registry->Browser helper objects
    *System/drivers> Running processes
    hit >ok.

    Use the "save" tab, to save, name and post the log!

    Regards
     
  3. Lasuar

    Lasuar Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    5
    Re: Need help with about:blank Hijack

    Here is what was in system Hooks.
    -----------------------------------

    GetMessage Nview.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Nview.dll C:\WINDOWS\RUNDLL32.EXE
    Window Procedure Nview.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Nview.dll C:\WINDOWS\RUNDLL32.EXE
    Window Procedure Wdmjbn.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Wdmjbn.dll C:\WINDOWS\RUNDLL32.EXE
    Mouse Nview.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Nview.dll C:\WINDOWS\RUNDLL32.EXE
    Window Procedure Result Nview.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Nview.dll C:\WINDOWS\RUNDLL32.EXE

    Here is startdrek log.
    -----------------------

    StartDreck (build 2.1.5 public BETA) - 2004-07-20 @ 14:06:27
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *NVIEW=rundll32.exe nview.dll,nViewLoadHook
    »RunOnce
    »Default User
    »Run
    *NVIEW=rundll32.exe nview.dll,nViewLoadHook
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *C-Media Mixer=Mixer.exe /startup
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    *NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    *Installed=1
    *Installed=1
    *NoChange=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    »RunServicesOnce
    **ld=rundll32 C:\WINDOWS\SYSTEM\WDMJBN.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Browser Helper Objects (LM)
    *{DC6C0063-DA1A-11D8-A76A-000412DE9CA3}
    `InprocServer32=C:\WINDOWS\SYSTEM\GEBOECA.DLL
    »Files
    »System/Drivers
    »Running Processes
    *FFEF845B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFFF0BF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFCD2B=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFEE75B=C:\WINDOWS\EXPLORER.EXE
    *FFFEB13F=C:\WINDOWS\RUNDLL32.EXE
    *FFFD73B7=C:\WINDOWS\TASKMON.EXE
    *FFFD4CBF=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFC3E77=C:\WINDOWS\SYSTEM\STIMON.EXE
    *FFFBE8DF=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFD95D7=C:\WINDOWS\RUNDLL32.EXE
    *FFFC0007=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFFB5A1B=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFA7E67=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    *FFFAE577=C:\WINDOWS\NOTEPAD.EXE
    *FFFAEB1F=C:\WINDOWS\DESKTOP\DRIVERS\SOFTWARE\STARTDRECK.ZIP\STARTDRECK.EXE
    »Application specific

    thank you for your Help.
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re: Need help with about:blank Hijack

    Unzip Win98fix.zip to your desktop.

    DoubleClick on: Win98fix.reg file, hit 'yes'
    on the prompt!
    -Restart computer!
    -File should be visible!
    -Do 'find files' for and delete. C:\WINDOWS\SYSTEM\WDMJBN.DLL <--file.

    Reboot.

    Run Spybot, check for updates and then do complete scan. Reboot and then run CWShredder and RUN Fix. Let it fix what it finds. Restart and post a fresh hijackthis log
     
  5. Lasuar

    Lasuar Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    5
    Re: Need help with about:blank Hijack

    Thanks so much for you Help!! Here is the new Hijack log and looks like may have gotten it with only the spybot bho left.
    This thing has been driving me crazy. It's my roomates system and I just couldn't get rid of it.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:04:41 AM, on 7/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\DRIVERS\HJACK\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37982.4352662037
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


    Thank you again so much for all your help and time,


    Lasuar
     
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re: Need help with about:blank Hijack

    Fix O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe in Hijackthis. Restart and post a fresh log.

    Read -> https://www.wilderssecurity.com/showthread.php?t=27971 so that in future you dont get infected like this anymore.

    Regards
     
  7. Lasuar

    Lasuar Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    5
    Re: Need help with about:blank Hijack

    Heya thanks for your help,

    Are you sure that file is not part of the outlook express security patch?

    http://www.microsoft.com/downloads/...ed-af49-4ba1-848d-19b984d66e60&displaylang=en

    I know it could be a virus or trojan masking itself as the file. Just thought I would double check befor I cleaned it.

    Edit did more research was new update of outlook so guess it was virus/trojan whatever :) was in strange location anyway. so cleaned it here is the new log. I would never of gotten that one since my previous searches on it showed it as a legitimate windows file.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:23:05 AM, on 7/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\DRIVERS\HJACK\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37982.4352662037
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


    Thanks for you help and for spotting something like that that when you do a search on gives you a legitimate file.

    Lasuar
     
    Last edited: Jul 22, 2004
  8. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re: Need help with about:blank Hijack

    You are welcome.

    I hope you will read that link I gave to minimise future re-infection.

    Regards
     
Thread Status:
Not open for further replies.