MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Yet another ilxt.info and about:blank / hijack etc
November 12, 2019, 08:23:51 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 12, 2019, 08:23:51 AM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Yet another ilxt.info and about:blank / hijack etc  (Read 1711 times)
jvr20
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 18


Bookmark and Share

View Profile
« on: July 25, 2004, 10:58:25 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: xp
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:





Hey guys,

I've tried following some of the detailed info you've given to others in my position, but for various reasons I couldn't follow it to the letter, perhaps the hijacker customises the spyware differently...Here's my HJT log file, I'd be really grateful for any help with my situation!

Here goes:

Logfile of HijackThis v1.98.0
Scan saved at 11:47:41, on 25/07/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Quick Keys\QKeys.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\VIKRAM~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {AB3EE218-BA52-4233-8045-6AAB0E794F05} - C:\WINDOWS\System32\pjfibaa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: QKeys.lnk = C:\Program Files\Quick Keys\QKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8699AB0-828E-41A1-967E-642261BE0CBA}: NameServer = 213.1.119.104 213.1.119.101
O18 - Filter: text/html - {DE9AF0C3-C82E-4D3A-BFA2-510323D07101} - C:\WINDOWS\System32\pjfibaa.dll
O18 - Filter: text/plain - {DE9AF0C3-C82E-4D3A-BFA2-510323D07101} - C:\WINDOWS\System32\pjfibaa.dll

Logged

 
jvr20
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 18


Bookmark and Share

View Profile
« Reply #1 on: July 26, 2004, 03:00:01 PM »

Pretty please guys, I'm desperate here! I've followed the instructions you've kindly given to other users, but nothing has worked so far...

jvr20
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #2 on: July 27, 2004, 07:58:53 PM »

If Spyhunter is in your Add/Remove programs remove it---it's bogus

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

Restart your computer and delete the SpyHunter folder

 Download FINDnFIX.exe

Double click to run FindnFix----It will Install to it's own folder
Find the folder and double-click on !LOG!.bat. Give it time to run and produce a log---- When done post the contents of Log.txt in this thread.

Next:
Open up Notepad (START, run, enter NOTEPAD in the BOX and hit OK).
Copy the CONTENTS of the Quote box to notepad
Now in Notepad select file, save as and enter in the filename box "Appinit.bat" (Use the quotes too) and save it on the desktop.

quote:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
chkntfs c: > windows.txt
type windows1.hiv >> windows.txt


Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Upload windows.txt in your next reply----Insert file attachmet
Logged

 
jvr20
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 18


Bookmark and Share

View Profile
« Reply #3 on: July 28, 2004, 09:07:31 AM »

Cheers Benditup, I'm really grateful for this. To confirm:

1. Have removed SpyHunter, but the line you said to put a check by and Fix under HJT no longer exists - I attach the most recent HJT log below

2. Have deleted the SpyHunter/PopupBlocker folder from Program Files and restarted

3. Have performed the FindNFix log.bat instructions and the appint.bat routine, and attach the logs and text files as requested.

FindNFix log:
*************
 
« Last Edit: July 28, 2004, 01:25:43 PM by benditup » Logged

 
jvr20
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 18


Bookmark and Share

View Profile
« Reply #4 on: July 28, 2004, 09:15:34 AM »



My windows.txt file: windows.txt 8.72 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #5 on: July 28, 2004, 01:29:10 PM »

This next part will cause your computer to RESTART---Allow it!

In the keys1 folder, double click on FIX.bat.
There will be an alert of about 15 seconds before reboot
After you restart, open Explorer and navigate to
C:\Windows\System32 folder
Find the LOGCKHB.DLL file (it should be visible now). Highlight the file and using TOP menu, click Edit>>>>>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat.
When it is finished, in the FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.
Logged

 
jvr20
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 18


Bookmark and Share

View Profile
« Reply #6 on: July 28, 2004, 01:40:54 PM »


Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: July 28, 2004, 01:48:06 PM »

Open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat.
It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip)
It will open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.
You will have to link to this thread

RESTART your computer and delete the whole FINDnFIX folder and files

Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup---START--RUN---type in "cleanmgr" without quotes

Download and unzip to desktop CWShredder
http://www.majorgeeks.com/download4086.html
With only CWShredder open let it FIX all problems
RESTART your computer

Download and install the free version of Ad-Aware

Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer and post back with a fresh hijackthis log

If you have trouble deleting the file and folder
Try to follow these steps
Find this file here:
C:\FINDnFIX\junkxxx\logckhb<
-RightClick on it: properties
/Advanced/Security/permissions \
and try to take ownership giving yourself 'Full control'.

*Next
-Right click the 'junkxxx' folder itself. hit properties.
-Go to the security tab and click the advanced button.
-check the box to reset permissions on all child objects....
Hit apply. ok
-Delete 'junkxxx' Subfolder, and entire
FINDnFIX folder from C:\

How to take ownership of a file or folder in Windows XP
« Last Edit: July 28, 2004, 01:59:45 PM by benditup » Logged

 
jvr20
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 18


Bookmark and Share

View Profile
« Reply #8 on: July 28, 2004, 02:44:36 PM »


Latest HJT log - on opening the browser, it wasn't hijacked this time! Does this mean we're (nearly) there? Can't thank you enough Benditup. Any tips on how to stop it recurring?



Logfile of HijackThis v1.98.0
Scan saved at 15:32:10, on 28/07/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Quick Keys\QKeys.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: QKeys.lnk = C:\Program Files\Quick Keys\QKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: July 30, 2004, 02:31:24 AM »

Looks good jvr20
Optionally you can fix these entries with hijackthis
Not needed on startup, considered resource hogs

Do another scan with hijackthis and fix checked

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

RESTART---preferrably in safe mode
Navigate to this folder--C:\Program Files\Common Files\Real\Update_OB
Open it
RENAME realsched.exe>>>>>realsched.exe.old

How to stay secure
Go to Windows update and get ALL latest Critical updates and Service Packs--Including IE updates

You should install these 2 apps., they add extra security while
silently protecting you without running in the background
 
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
http://www.bleepingcomputer.com/forums/index.php?showtutorial=53

With both---Check for updates every couple of weeks

Other recommendations in this link
READ THIS
How did I get Infected

Stay safe Smiley


Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 31, 2018, 03:30:42 PM