Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank hijacker problem


  • Please log in to reply
1 reply to this topic

#1 ken65

ken65

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 21 February 2005 - 12:55 PM

Hello,

I have had a difficult time eliminating a pesky hijacker.

The first problem I have is with Explorer. I receive an error message that reads "this program has performed an illegal operation and will be shut down" upon connecting with Explorer. The details tab reads that there is an error in module URLMON.DLL.

I also have an about:blank hijacker as well. I think it is related to the two pesky dll files that I continually have to remove in safe mode. One has the same file name every time and goes in the Windows/Temp folder, the other always has a different name each time and is in the Windows/System folder.

Here are my Startdreck and HJT logs:


StartDreck (build 2.1.7 public stable) - 2005-02-17 @ 23:05:42 (GMT -06:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2800.1106
Logged in as Kenneth Surbaugh at PAVILION

舞egistry
舞un Keys
翟urrent User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
舞unOnce
聞efault User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*EncMonitor=C:\Program Files\Encompass\Monitor.exe
舞unServicesOnce
**ksgr=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
肇iles
翠utostart Folders
翟urrent User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
聞efault User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=explorer.exe
蓉ext Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
艋ystem/Drivers
舞unning Processes
+FFCF99ED=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFAE59=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE58C9=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE2019=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFED1F9=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFED425=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
+FFFEE909=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
+FFF9026D=C:\WINDOWS\RUNDLL32.EXE
+FFF99C31=C:\WINDOWS\TASKMON.EXE
+FFF81AB5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFF8F391=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
+FFF8E8C1=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFF88551=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFF89E79=C:\WINDOWS\RunDLL.exe
+FFFB7A09=C:\WINDOWS\CWD3DSND.EXE
+FFFB6DE5=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
+FFFB0061=C:\MPASS\MPSERVER.EXE
+FFF82F09=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
+FFF86339=C:\MPASS\IPCSRVER.EXE
+FFFB34D9=C:\MPASS\DSMSRVR.EXE
+FFFBC10D=C:\WINDOWS\SYSTEM\rtdsk40w.exe
+FFF9D429=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF85BD9=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFEA03D=C:\WINDOWS\EXPLORER.EXE
+FFFA7675=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFC5902D=C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
+FFC5D3C5=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
臧T Services
翠pplication specific


Logfile of HijackThis v1.99.0
Scan saved at 11:08:37 PM, on 2/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\CWD3DSND.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
C:\MPASS\MPSERVER.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\MPASS\IPCSRVER.EXE
C:\MPASS\DSMSRVR.EXE
C:\WINDOWS\SYSTEM\rtdsk40w.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 81.211.105.20
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab


I can only speculate that there is a hidden dll file somewhere in my system. The only line I can find different than previous Startdreck logs is this:

**ksgr=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

I cannot find this file in the Windows folder and never appear in the HJT log. I can only assume it is a hidden dll file.

Please someone assist me with this difficult problem. I realize I am very new at this, so please be patient with me. Thank you!

Ken

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:45 PM

Posted 23 February 2005 - 05:53 PM

Excellent...want to join the training program ? :thumbsup:


Please down the following bat file to your c:\ drive and run it. Tt will then open a folder. Zip the contents of that folder into a zip file and submit it at http://www.bleepingcomputer.com/submit-malware.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users