Community Forum

Cajun-Hijackthis log file

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Problem Solver

Cajun-Hijackthis log file

Wow! Cajun, I didn't even get a chance to blink.... I didn't shut down IE, would that have any effects on the results? Thanks in advance



Logfile of HijackThis v1.97.7
Scan saved at 1:04:00 PM, on 6/18/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.com"); (C:\Program Files\Netscape\Users\sunny2\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {81AA793C-BFD2-11D8-8C13-00A00F8CC513} - C:\WINDOWS\SYSTEM\EAOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: SysTray.Exe
O4 - HKLM\..\Run: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: mstask.exe
O4 - HKLM\..\RunServices: "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O15 - Trusted Zone: www.netscape.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38126.7990972222
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Well Blujay,

You would have the more complicated one to fix Smiley Wink

But it is fixable
1st Download startdreck
from here.
Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application and if you save it to the same folder that you used for hijackthis that would be good)

Post the log in this thread.
Wait until I respond before proceding.. Unfortunately I will be out until early this evening.. (JohnD may come along and help before then...

Once we get there you will need to do this next...
Then download CWshredder.exe
run it click on fix..
Then download ad-aware set it up for a full scan

Reboot and scan with hijackthis again and psot that log..
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Cajun, I hope I downloaded this correctly. The whole site was in German(?). Man!! I have enough trouble with English some days... :-) Here is the STARTDRECK log as requested

Thanks in advance, and don't be concerned about a prompt answer, I have to make like a housewife and do some whirling around and take advantage of dinner out...

StartDreck (build 2.1.5 public BETA) - 2004-06-18 @ 14:07:57
Platform: Windows 98 (Win 4.10.1998 )

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*NAV DefAlert=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
*Norton Auto-Protect=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
*CriticalUpdate=C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
**edmk=rundll32 C:\WINDOWS\SYSTEM\COMHA.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FF0FF17F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFA5EF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFADF7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFF856F=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE387B=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFD72D3=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFD41B3=C:\WINDOWS\RUNDLL32.EXE
*FFFEB85B=C:\WINDOWS\EXPLORER.EXE
*FFFD9A9F=C:\WINDOWS\TASKMON.EXE
*FFFCE8CF=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFB75CF=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
*FFFA150F=C:\STARTDRECK\STARTDRECK.EXE
»Application specific
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Boot into safe mode see this symantec article (Scroll down and click on win 98)

delete this file
C:\WINDOWS\SYSTEM\COMHA.DLL

Then run CWshredder as posted above.. reboot and post another hijackthis log...
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Hi Cajun, I'm back.... Since I've never done anything safe mode, I had to print off Symantic's instructions to have a hard copy reference while working... I just want to ask a few stupid questions.
1.after I delete the file in safe mode, do I reboot and reverse the steps for getting into safe mode?
2.is CWShredder run in safe mode ?
3.by closing all programs, does that also include my AV, and disconnect from the modem?
4.in safe mode I access the C file windows through the start> ?

Forgive me for asking all these questions, but I am definitely NON tech, and do not want to foul up any more than I have to....
Thanks again...
Valued Contributor

Re: Cajun-Hijackthis log file

1. Just reboot normally.

2. CWShredder can be run in Safe Mode. Running in Safe Mode normally prevents malware from starting giving antispyware programs a better chance of eliminating them. Although in some cases they attach themselves to the Windows Shell and will still load anyway.

3. No windows should be open or minimized. You can continue to run your AV. If you start in Safe Mode, network suppport is disabled.

4. Use Windows Explorer as you would if in normal mode.
Problem Solver

Re: Cajun-Hijackthis log file

Thanks John, will get to it, and post the hijackthis log...
Problem Solver

Re: Cajun-Hijackthis log file

Hi John, I got into the safe mode, and could not find the COMHA.DLL file in windows\system. Tried it twice, but nothing..... Is this file hiding on me and trying to drive me crazier than I am already? I appreciate any and all the help you can give me in locating this...
Many thanks..
Valued Contributor

Re: Cajun-Hijackthis log file

It could be. Can you boot to DOS instead of Safe Mode. I think there is that option. Or do you have a boot or "rescue" diskette? If yes, boot to DOS and enter these commands:

> C:
> cd \windows\system
> dir comha.dll

See if it lists that DLL. If it does, you can then delete it:

> del comha.dll

If the first dir command finds nothing, try this one:

> dir /a:hs comha.dll
Message was edited by: JohnD
Problem Solver

Re: Cajun-Hijackthis log file

Thanks John, will give a try booting to DOS, I found my original Microsoft Boot Disk, but have one question concerning the use. The Win98 was reinstalled over itself by tech when in shop last week, would my boot disk still work properly?
Thanks again
Problem Solver

Re: Cajun-Hijackthis log file

My computer HATES me.. Going out in the daylight hours to get the biggest sledgehammer I can find!!! I got into DOS and found the blessed DLL on the first dir command and jumped for joy... typed in del comha.dll machine thumbed its nose at me and said ACCESS DENIED... I really want to get this thing now. And am trying very hard to hold my temper in check.....
John, anything you can do to aid me is greatly appreciated. So where do we go from here?

Thanks again..
Valued Contributor

Re: Cajun-Hijackthis log file

See if the file has a "Read-Only" attribute.

Enter this DOS command:

attrib comha.dll

If a "R" is listed to the left of it, then do this:

attrib -r comha.dll

Then try to delete it again.
Problem Solver

Re: Cajun-Hijackthis log file

will do..... and will get back... many thanks..
Problem Solver

Re: Cajun-Hijackthis log file

John, the letter that showed was A . I tried deleting but was denied... Oh great leader, where do I go from here..

many thanks
Silver Problem Solver

Re: Cajun-Hijackthis log file

Pardon me for butting in, but I have something that may help. As long as the file is not marked Hidden or System or Read Only, it should delete just fine, unless it's open. Your prior listing in Safe Mode shows a rundll32 process that might be the culprit here. I would recommend doing the following:

1. Go to http://www.sysinternals.com and download the pslist and pskill tools. pslist will list the running processes on the system. pskill will terminate a process based on process id (which you get from pslist).

2. Reboot in safe mode. Run pslist and see if the rundll32 process is running. If so, note its process ID (or Pid), and then run "pskill ". For example, if the rundll32 process is pid 659, then the command would be "pskill 659".

3. Now try deleting the comha.dll file.

More advanced operating systems like XP and 2K have built in ways of killing a process, but I don't believe Win98 comes with such a tool (that I can recall, anyway).
Silver Problem Solver

Re: Cajun-Hijackthis log file

Another tool to use here is listdlls. This program lists which DLL's are currently loaded by which process, which is extremely useful information in this context. You can also get this tool from http://www.sysinternals.com as well. They have tons of cool stuff there. Just be careful, some of those tools are very sharp implements. Used improperly and you can lop off a finger, neat and quick. Ouch. Smiley Happy
Silver Problem Solver

Re: Cajun-Hijackthis log file

I was just up there looking and pskill and pslist are not listed as working on Win98. But I have seen others mention using them there, so I guess it can't hurt to try. If not, the Process Explorer tool can do this on Win98.
Problem Solver

Re: Cajun-Hijackthis log file

Constructive help is not considered butting in, and from what I've seen here in the forums, you have been very helpful Baric.. I'm going to print off your instructions, take a nap, (24hrs with only 45min catnap) and then give it a try.. The birds are chirping away, hopefully they'll lull me off to sleep:-)

Thanks for your assistance
Silver Problem Solver

Re: Cajun-Hijackthis log file

Yep, sun's coming up here as well. That means it's bed time.
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Blujay,

Since the simple delete is not working, I will shortyly provide you with a link to a differnt way of deleting the file.. (the site is currently down for maintenance but messages say it should be up within the hour)
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Good morning/afternoon, Cajun... I was down for a while myself, so I'll wait for any new info from you.... I'll list a few strange things that have been happening, could they be contributing to or causing my problems.
1.illegal operation box for WUCRTUPD at Kernel32.DLL
2.machine starting up in SafeMode on its own, after shutdown
3.I have the Big Fix program on my computer, this morning I checked it and have a number of critical updates or fixes for Win98.. Should I download these or hold off for now.

I have not yet checkout the sites that Baric mentioned. Should I go ahead and follow his instructions or wait for you.. I truly appreciate all the help being given.

thanks again.
Bronze Problem Solver

Re: Cajun-Hijackthis log file

You may try what Baric suggested.. The site where I could download another tool that is tailored for this is down..
I am unsure if they will work But I believe they will...

You may have to wait some time for the correct fix (I think they (spywareinfo forums)) will be back up by tonight if nothing else works...
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Thanks Cajun, will try the pskill first... Just for clarification, Item 3 on Baric's post,"now try deleting the comha,sll file" , Do I do that in Safe Mode, where I'll be for the pskill, or do I reboot and go to DOS mode as I had done before?
Sorry for all these obviously dumb questions, But I think you folks are working hard enough with me and I hate to make more work for you than I have...
Thanks again..
Bronze Problem Solver

Re: Cajun-Hijackthis log file

I would do it in safe mode.. It's more likely to be deletable there...
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

THANKYOU, THANKYOU
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Does that mean it worked??!!!??? If so did you delete it..

If you did you will still need to run cwshredder and ad-aware once more.. (in safe mode again preferably then reboot and post one more log)...
TANSTAAFL!!


Silver Problem Solver

Re: Cajun-Hijackthis log file

Yes, do it in safe mode immediately after you kill the process. If the rundll32 process does not exist, then run listdlls and save the output to a file and see if comha.dll is listed, note what process it's loaded by and post that.
Silver Problem Solver

Re: Cajun-Hijackthis log file

I'm curious also...
Problem Solver

Re: Cajun-Hijackthis log file

Hi, I'm back.. Sorry I didn't answer earlier,I was off reading info on the Sysinternals site, downloaded just the listdlls tool, and the Process Explorer tool. Got into Safe Mode. I got some sort of message that it was unsafe to run the listdlls tool in safe mode, so I got out and figured to run it normally.... That thing flashed by so fast I couldn't read a thing, tried to find some sort of instructions for slow down, and or save but seemed to be unlucky there too. Then gave Process Explorer tool a try. ditto.. At that point, I left the computer totally shell shocked and worn out. A little while ago I figured "what the H Will download the pskill info, even tho it was not for W98. I couldn't get to the site... tried 2x but no luck.
Everytime that I come here to check and post to the forum I keep getting popups that I have spyware on my computer..
Right now I am at a loss at what to do. Should I repeat any steps, i.e. adaware, spybot, or hijackthis?
I'll keep trying to download the pskill tool.....

Again, I am very grateful for your help an assistance in this nightmare....
Silver Problem Solver

Re: Cajun-Hijackthis log file

Running any command line tool, it's easy to capture the output. At the command line, simply run "listdlls >dlls.txt". The > command option tells the command prompt to save the output in a file called "dlls.txt". You can then open this file to read it, edit it, etc. Not sure why listdlls would be unsafe in Safe Mode (!). Process Explorer has the same warning?
Problem Solver

Re: Cajun-Hijackthis log file

The message said something about messing up the monitor, I think...... I was really out of it at that time, and when things did not proceed as I wanted I left.. The Process Explorer was used in my normal mode I didn't try it in Safe Mode..
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Blujay,
finally the site with the correct fix for this for win 98 is up... So
=== Step 2b === (better)
Download: "Win98Fix.zip" from here:
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to <>.
Right click select 'Properties' and remove any 'Read only' protection.
Right click again and select 'Delete'.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)
=== end fix ====
You will still need to run cwshredder and Ad-aware after you finish...
TANSTAAFL!!


Silver Problem Solver

Re: Cajun-Hijackthis log file

I wonder what this guy is doing, under the covers...?
Problem Solver

Re: Cajun-Hijackthis log file

ROFOL--:-):-) When we get him, he won't be doing it anymore, anytime, anywhere......
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Blujay.. Look at my last post.. follow those instructions please???
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Thanks Cajun, Printed off all instructions..... going to go give it a try, on the way will be stopping at ever place of worship in town to say a prayer or two.... When I complete and run cwshredder, and ad-aware, is there anything else I should do before reporting back here?

Many, many thanks
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Nope, just post a hijackthis log...... and the win98fix thing (first) as well...
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

OK..... going off to follow printed instruction, hopefully will be back with good news....
Problem Solver

Re: Cajun-Hijackthis log file

Hey Cajun, I love,love,love you!! Got rid of the comha.dll file, it was right there after I did the RunFix.reg file.. It was an archive and not a Read only.
There didn't seem to be anything to save or generate for a log... Here is my last hijackthis log. Did you want to see the Ad-Aware log also. I did a scan only on cwshredder.


Logfile of HijackThis v1.97.7
Scan saved at 9:43:55 PM, on 6/19/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.com"); (C:\Program Files\Netscape\Users\sunny2\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {81AA793C-BFD2-11D8-8C13-00A00F8CC513} - C:\WINDOWS\SYSTEM\EAOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: SysTray.Exe
O4 - HKLM\..\Run: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: mstask.exe
O4 - HKLM\..\RunServices: "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O15 - Trusted Zone: www.netscape.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38126.7990972222

I guess I need to know what to get rid of now...

Are we almost there..

THANK YOU THANK YOU THANK YOU..
Valued Contributor

Re: Cajun-Hijackthis log file

Hi BluJay,

Im back. You have a nasty About:Blank hijack. As you have found out, these can be very difficult to get rid of. We will see if we can get rid of what remains.

Close all applications and run another HijackThis scan. Check the box next to the following items. When all are checked, click the "Fix checked" button. When completed, close HijackThis. Then reboot your system. When it boots up, run CWShredder and choose "Fix" not "Scan". Reboot again. Then run Ad-aware, fix what it finds. Reboot again. . Finally, run another HijackThis scan and post the new log.

Fix these:

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

---> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


I cannot find any info on this. Please right-click on it and bring up its "Properties" / "Version" and see who created it. If it is not from a good outfit, you can "fix" this also. We might want to "fix" this in case there is any question. You can always reinstate it if need be.

---> O2 - BHO: (no name) - {81AA793C-BFD2-11D8-8C13-00A00F8CC513} - C:\WINDOWS\SYSTEM\EAOK.DLL
Problem Solver

Re: Cajun-Hijackthis log file

After last night's marathon, I'm going to call it a night and hit the pillow. You gentlemen have my undieing gratitude for all the help and hand holding getting me to this stage of the game, which was get that comha.dll file and send it to the beyond. Since I'm about as knowledgeable as 2 yr old, I'll await your recommendations as to what to delete from the Hijackthis file.. No way am I gonna touch that alone....

Again, many, many thanks to Cajun, Baric, and JohnD, you are the greatest.

Happy Father's Day to you all--
Problem Solver

Re: Cajun-Hijackthis log file

Well John, you caught me..... I'll print this off and do the work tomorrow. Before the kids arrive for their father.
Thanks for your help..
Have a Great Day tomorrow...
Problem Solver

Re: Cajun-Hijackthis log file

Hi John, I had no problems running the 1st hijackthis, or cwshredder, did the required reboots. Ad-aware gave me problems, it got hung up and stopped 3/4 way through, I rebotted, ended up in safe mode, rebooted again and called it a night... Today, I rebooted and ran Ad-aware, again it stopped around the same point, I rebooted and was successful the second time. You said to "fix" what I find, couldn't find any fix button, checked the help manual, tried to quarantine all, but that didn't work. Well then I rebooted again, ran another hijackthis and the log follows... Have I confused the issue in any way?
What am I doing wrong?
Thanks again for all your help..
p.s. don't know what happened, but I can now play FreeCell. The W98fix that Cajun had me download??





Logfile of HijackThis v1.97.7
Scan saved at 6:32:44 PM, on 6/20/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.netscape.com"); (C:\Program Files\Netscape\Users\sunny2\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: SysTray.Exe
O4 - HKLM\..\Run: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: mstask.exe
O4 - HKLM\..\RunServices: "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O15 - Trusted Zone: www.netscape.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38126.7990972222
Valued Contributor

Re: Cajun-Hijackthis log file

To fix things in Ad-aware, after you run the scan, there should be a "Next" button at the bottom. That takes you to the "fix" process.

It looks like something removed that EAOK.dll line from the log. Thats good. I was very suspicious of it. I think it was related to the About:Blank hijack. Its one of the latest variants.

Have HijackThis remove these lines and then reboot and run another scan.

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

---> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

If these return, then we still have a hidden .dll that is regenerating them.
Bronze Problem Solver

Re: Cajun-Hijackthis log file

You did delete the file right (the dll file)
If you did close all browser windows and have hijackthis fix these..


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Reboot and let's see where we are..

You may need to set your home page back to http://comcast.net
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Hey there Cajun, yes, the elusive dll was successfully removed with that w98fix you had me download.. thanks for the info on where the fix button is in on adaware. The eaok.dll was removed on recomendation of Johnd, above. I was in IE before, and changed the homepage back to Comcast. I'm dancing a jig here, It was there when I loaded IE. WHOOPIEEEEEE!!!!:-):-) Happy not to see that blasted about:blank home page!! Will print off your instructions and get back......

THANK YOU, THANK YOU XOXOOXOXO
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Good deal.. May want to post one more hijackthis log.. Just so we can be darned sure it fixed...
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Cajun, before I run the hijackthis, should I do another ad-aware scan and "fix" all that show up in the box, or just do the hijackthis??

Thanks again
Bronze Problem Solver

Re: Cajun-Hijackthis log file

Yes if you can.. You may want to try running ad-aware in safe mode...
TANSTAAFL!!


Problem Solver

Re: Cajun-Hijackthis log file

Cajun, will give it a shot, ad-aware in safe mode and hijackthis in regular mode?