Jump to content


Photo

Another sp.html Hijack About: Blank


  • Please log in to reply
4 replies to this topic

#1 JMNL

JMNL

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 08:16 PM

Here is my log. This will not go away. Hijack This, AdAware and CWShredder al delete this but it keeps coming back. :wtf:
Thank for your help!!!

Logfile of HijackThis v1.98.0
Scan saved at 8:03:20 PM, on 7/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NAVSHEXT.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {2B2B9642-D43D-11D8-81E2-00503DFFAE3A} - C:\WINDOWS\SYSTEM\plmm.dll (disabled by BHODemon)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: ComcastHSI - {B7ECD2E0-A939-11D7-81DD-0050DAB34225} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {B7ECD2E1-A939-11D7-81DD-0050DAB34225} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {B7ECD2E2-A939-11D7-81DD-0050DAB34225} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {08464310-9825-11D2-BFA5-00A0C9AAFC5D} (iecru Class) - http://intelweboutfi...e/icvu/icvu.cab
O16 - DPF: {7AEB674E-4089-11D1-93F0-00A0241763CD} - http://www4.coolsavi...oad/CouponX.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - file://D:\setup\mpie4ful.exe
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clev...everContent.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfr...ll/iftwclix.cab
O16 - DPF: {17490F14-B6E6-11D2-8E5C-0000F87A4946} (MSN Communities Upload Control) - http://content.commu.../cs/msnupld.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.66.155.171....754100OneCC.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....21/cpbrkpie.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish....ishUploader.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://raman.siriuscom.com/iNotes6.cab
O18 - Filter: text/html - {2B2B9641-D43D-11D8-81E2-0050CD2D304D} - C:\WINDOWS\SYSTEM\PLMM.DLL
O18 - Filter: text/plain - {2B2B9641-D43D-11D8-81E2-0050CD2D304D} - C:\WINDOWS\SYSTEM\PLMM.DLL

:techsupport:

#2 JMNL

JMNL

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 04:03 PM

Help! please :)

Man, I can't believe how many people are having problems with this!

#3 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 13 July 2004 - 04:09 PM

Hello JMNL,

Do this:

1.)
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

2.)
Download: "StartDreck", unzip!
*Don't be f00led by the site's 'unique' interface!!!
http://www.niksoft.a.../startdreck.htm
DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
Registry->run keys
Registry-> Browser helper objects
System/drivers-> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

#4 JMNL

JMNL

    Member

  • New Member
  • Pip
  • 4 posts

Posted 14 July 2004 - 05:30 PM

I hope this is what you were asking for...

1) Window Procedure Comoi.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Comoi.dll C:\WINDOWS\RUNDLL32.EXE

2) StartDreck (build 2.1.5 public BETA) - 2004-07-14 @ 17:20:45
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*NAV CfgWiz=c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
*Installed=1
*Installed=1
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*ccEvtMgr="c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
舞unServicesOnce
**ppot=rundll32 C:\WINDOWS\SYSTEM\COMOI.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{29A86F08-D5B9-11D8-81E2-005055E3B640}
`InprocServer32=C:\WINDOWS\SYSTEM\IPFOBA.DLL
肇iles
艋ystem/Drivers
舞unning Processes
*FFCFF0B9=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF87DD=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFB06D=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE35F5=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFED505=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
*FFFEC941=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
*FFFE0E49=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFD1325=C:\WINDOWS\RUNDLL32.EXE
*FFFEFBB9=C:\WINDOWS\EXPLORER.EXE
*FFF331DD=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
*FFF33C79=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
*FFF2C2BD=C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
*FFF24409=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF7F565=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF2BF11=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF23845=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#5 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 15 July 2004 - 09:35 AM

Download: "Win98Fix.zip" from here:
http://www10.brinkst...last/pvtool.htm

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to COMOI.DLL.
Right click select 'Properties' and remove any 'Read only' protection.
Right click again and select 'Delete'.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)

Good Luck :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button