• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
smiggy

Hijacked to "about:blank" and popups

12 posts in this topic

Hello & "Thank You" in advance to anyone here who has the time to help

me.. I have read the FAQ & I have run SpyBot S & D multiple times...

 

============

 

Here's my two problems:

 

-Every time computer starts up, along with the normal programs that

load, it loads popups that warn me that I have spyware on my computer... These same popups appear often when i'm browsing w/ IE...

 

-my homepage has been hijacked to "about:blank"

 

==============

 

This started happening yesterday... and here's what i've noticed since:

 

-A file "sysupd.exe" was running as one of my processes, and when i tried to end it, it just made of copy of itself, and when i tried to delete it, it said "file in use, can't delete"... I finally started up in Safe Mode, and deleted this file and the file associated with it.. so that seems to be ok now... using HJT, I also deleted an entry that had "sysupd.exe" in it... and that entry never reappeared, but that did not have any effect on my two above problems...

 

-Everytime I run SpyBot S & D.. I find two problems...

---"DSO Exploit", w/ 5 'data source object exploit' that all have

-----> "\SOFWARE\MICROSOFT\\WINDOWS\CURRENT\VERSION\INTERNET SETTINGS\ZONES\0\1004!=W=3"

---"WebDailer" w/ 1 'settings' W/

-----> "\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\HOMEOLDSP"

I "fix" these problems... but when I restart and run SpyBot S & D again, they're right back there..

 

-My HJT log has an entry w/ "about:blank" in it... and I can delete that entry... but when i restart and run HJT again... the "about:blank" entry is right back there...

 

-I've found two identical *.js files on my computer (one in C:/I386, the other in C:/Windows/System32/OOBE) named "migrate.js" that include the lines:

 

var g_bMigration = 0;

var gselectedISPIndx = 0;

var gCurrISPURL = "about:blank";

var gpgType = -1;

var gLastProg = 0;

var PAGE_REFDIAL = 0;

var PAGE_ISPLIST = 1;

var PAGE_ISPDIAL = 2;

var PAGE_ISPPAGE = 3;

var PAGE_SERVERR = 4;

var PAGE_REFDRDY = 5;

var PAGE_MIGDRDY = 6;

var PAGE_REGDIAL = 7;

 

Is the "about:blank" line suspicious??

 

==================================================

 

Here's a copy of my HJT Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:28:34 AM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Documents and Settings\Mike & Nicole Brown\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://dashboard.zoomtown.com/register/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {ABFF8FEF-FB24-4C8E-A566-DBEDCC44C667} - C:\WINDOWS\System32\nncf.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken Deluxe 2000\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8129.2724074074

 

 

I am totally frustrated and would deeply appreciate your help! Thanks!

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Share this post


Link to post
Share on other sites

=================

 

Using Registrar Lite, for value name "AppInit_DDLs ", the value is:

 

C:\WINDOWS\System32\comaio.dll

 

=================

 

Thanks for your help Daemon!

Share this post


Link to post
Share on other sites

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Right-click on the Windows key in the left pane and rename it to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

 

"C:\WINDOWS\System32\comaio.dll", hit 'Apply' and 'Ok' to set.

 

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the comaio.dll in C:\WINDOWS\System32.

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\comaio.dll

Copy and paste this into the 'To' box: C:\Junk\comaio.dll

 

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the next steps.

Share this post


Link to post
Share on other sites

No More Popups!! IE still opened to "about:blank", but the webpage that was displayed is now gone, and just a blank white screen remains!... Wow that's a relief! :)

 

CWShredder said:

-"CWS: Searchx = Removed" &

-"Restoring IE Pages = restored 6 pages"

 

Here's the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:11:02 PM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\Documents and Settings\Mike & Nicole Brown\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://dashboard.zoomtown.com/register/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken Deluxe 2000\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8129.2724074074

 

Thanks again for all your time & expertise!

Share this post


Link to post
Share on other sites

Still a bit more to do. Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done.

 

Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong.

 

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

Reboot when done, rescan with HJT and post a new log here for a final check over.

 

Also could you try to delete the C:\Junk folder - this may be difficult, let me know how you get on.

Share this post


Link to post
Share on other sites

Good Morning... Thank you again for all your help!

 

My popups are gone and my homepage has automatically been reset to www.msn.com. I have completed everything you instructed me to do in your last post, except I could not delete my c:/Junk foler with the comaio.dll file in it... I tried doing this under a regular boot and a safe mode boot, but both times the "file was in use"...

 

Here's my newest log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:17:42 AM, on 5/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Mike & Nicole Brown\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://dashboard.zoomtown.com/register/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {CF1B24A1-62BF-4642-AB7B-9791A5473086} - c:\windows\system32\nncf.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken Deluxe 2000\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8129.2724074074

 

Many Thanks!!

Share this post


Link to post
Share on other sites

Try this - boot into Safe Mode by tapping F8 after the BIOS has loaded. Right-click on the C:\Junk\comaio.dll go to the Security tab>advanced and take ownership giving yourself 'Full control' (preferably to Administrators 'group'). Right-click the C:\Junk folder and hit properties. Click on security tab then the advanced button. Check the box that says reset permissions on all child objects. Hit apply.

 

You should now be able to delete the file and folder. Let me know how you get on.

 

Also, renaming the "Windows" key may have modified some security settings. Start Registrar Lite. Copy and paste the following text into the Address Bar and press 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Right Click on the purple Windows folder in the left pane.

Select 'Properties'.

Press 'Permissions'.

Press 'Advanced'.

Remove Check Mark from 'Inherit permissions...'.

Press 'Copy'.

Highlight the group 'Everyone' (note: if this group does not exist then exit Reglite)

Select 'Remove'.

Press 'Apply' and 'OK' on all dialog boxes.

Share this post


Link to post
Share on other sites

Daemon, thank you so much for your help!

 

Following your instructions, i've deleted the shady comaio.dll file... and I also followed your instructions in Registrar Lite, and didn't find the group "everyone".. but exited anyways, as you said to.

 

My computer is back to normal and I couldn't be happier with it! I assume there's nothing more I need to do??

 

I'm so happy I'm considering making a donation (in your name & honor) to SpywareInfo.com

 

Thanks again, and let me know if I can do anything for you! :)

Share this post


Link to post
Share on other sites

You're welcome - glad to help :D

 

With only HJT running, have it fix these items then you will be good to go:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {CF1B24A1-62BF-4642-AB7B-9791A5473086} - c:\windows\system32\nncf.dll (file missing)

 

Have a look at Tony's article here, contains a lot of useful recommendations on staying clean:

 

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

You're welcome - glad to help :D

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0