Jump to content


Photo

Hijacked to "about:blank" and popups


  • This topic is locked This topic is locked
11 replies to this topic

#1 smiggy

smiggy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 10:45 AM

Hello & "Thank You" in advance to anyone here who has the time to help
me.. I have read the FAQ & I have run SpyBot S & D multiple times...

============

Here's my two problems:

-Every time computer starts up, along with the normal programs that
load, it loads popups that warn me that I have spyware on my computer... These same popups appear often when i'm browsing w/ IE...

-my homepage has been hijacked to "about:blank"

==============

This started happening yesterday... and here's what i've noticed since:

-A file "sysupd.exe" was running as one of my processes, and when i tried to end it, it just made of copy of itself, and when i tried to delete it, it said "file in use, can't delete"... I finally started up in Safe Mode, and deleted this file and the file associated with it.. so that seems to be ok now... using HJT, I also deleted an entry that had "sysupd.exe" in it... and that entry never reappeared, but that did not have any effect on my two above problems...

-Everytime I run SpyBot S & D.. I find two problems...
---"DSO Exploit", w/ 5 'data source object exploit' that all have
-----> "\SOFWARE\MICROSOFT\\WINDOWS\CURRENT\VERSION\INTERNET SETTINGS\ZONES\0\1004!=W=3"
---"WebDailer" w/ 1 'settings' W/
-----> "\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\HOMEOLDSP"
I "fix" these problems... but when I restart and run SpyBot S & D again, they're right back there..

-My HJT log has an entry w/ "about:blank" in it... and I can delete that entry... but when i restart and run HJT again... the "about:blank" entry is right back there...

-I've found two identical *.js files on my computer (one in C:/I386, the other in C:/Windows/System32/OOBE) named "migrate.js" that include the lines:

var g_bMigration = 0;
var gselectedISPIndx = 0;
var gCurrISPURL = "about:blank";
var gpgType = -1;
var gLastProg = 0;
var PAGE_REFDIAL = 0;
var PAGE_ISPLIST = 1;
var PAGE_ISPDIAL = 2;
var PAGE_ISPPAGE = 3;
var PAGE_SERVERR = 4;
var PAGE_REFDRDY = 5;
var PAGE_MIGDRDY = 6;
var PAGE_REGDIAL = 7;

Is the "about:blank" line suspicious??

==================================================

Here's a copy of my HJT Log:

Logfile of HijackThis v1.97.7
Scan saved at 11:28:34 AM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Mike & Nicole Brown\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://dashboard.zoo...n.com/register/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {ABFF8FEF-FB24-4C8E-A566-DBEDCC44C667} - C:\WINDOWS\System32\nncf.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken Deluxe 2000\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8129.2724074074


I am totally frustrated and would deeply appreciate your help! Thanks!

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 11:20 AM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
Posted Image

#3 smiggy

smiggy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 11:51 AM

=================

Using Registrar Lite, for value name "AppInit_DDLs ", the value is:

C:\WINDOWS\System32\comaio.dll

=================

Thanks for your help Daemon!

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 11:58 AM

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Right-click on the Windows key in the left pane and rename it to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

"C:\WINDOWS\System32\comaio.dll", hit 'Apply' and 'Ok' to set.

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the comaio.dll in C:\WINDOWS\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINDOWS\System32\comaio.dll
Copy and paste this into the 'To' box: C:\Junk\comaio.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the next steps.
Posted Image

#5 smiggy

smiggy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 01:18 PM

No More Popups!! IE still opened to "about:blank", but the webpage that was displayed is now gone, and just a blank white screen remains!... Wow that's a relief! :)

CWShredder said:
-"CWS: Searchx = Removed" &
-"Restoring IE Pages = restored 6 pages"

Here's the new log:

Logfile of HijackThis v1.97.7
Scan saved at 2:11:02 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Mike & Nicole Brown\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://dashboard.zoo...n.com/register/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken Deluxe 2000\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8129.2724074074

Thanks again for all your time & expertise!

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 02:34 PM

Still a bit more to do. Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done.

Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Reboot when done, rescan with HJT and post a new log here for a final check over.

Also could you try to delete the C:\Junk folder - this may be difficult, let me know how you get on.
Posted Image

#7 smiggy

smiggy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 09:26 AM

Good Morning... Thank you again for all your help!

My popups are gone and my homepage has automatically been reset to www.msn.com. I have completed everything you instructed me to do in your last post, except I could not delete my c:/Junk foler with the comaio.dll file in it... I tried doing this under a regular boot and a safe mode boot, but both times the "file was in use"...

Here's my newest log:

Logfile of HijackThis v1.97.7
Scan saved at 10:17:42 AM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mike & Nicole Brown\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://dashboard.zoo...n.com/register/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {CF1B24A1-62BF-4642-AB7B-9791A5473086} - c:\windows\system32\nncf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken Deluxe 2000\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken Deluxe 2000\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8129.2724074074

Many Thanks!!

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 01:53 PM

Try this - boot into Safe Mode by tapping F8 after the BIOS has loaded. Right-click on the C:\Junk\comaio.dll go to the Security tab>advanced and take ownership giving yourself 'Full control' (preferably to Administrators 'group'). Right-click the C:\Junk folder and hit properties. Click on security tab then the advanced button. Check the box that says reset permissions on all child objects. Hit apply.

You should now be able to delete the file and folder. Let me know how you get on.

Also, renaming the "Windows" key may have modified some security settings. Start Registrar Lite. Copy and paste the following text into the Address Bar and press 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Right Click on the purple Windows folder in the left pane.
Select 'Properties'.
Press 'Permissions'.
Press 'Advanced'.
Remove Check Mark from 'Inherit permissions...'.
Press 'Copy'.
Highlight the group 'Everyone' (note: if this group does not exist then exit Reglite)
Select 'Remove'.
Press 'Apply' and 'OK' on all dialog boxes.
Posted Image

#9 smiggy

smiggy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 02:43 PM

Daemon, thank you so much for your help!

Following your instructions, i've deleted the shady comaio.dll file... and I also followed your instructions in Registrar Lite, and didn't find the group "everyone".. but exited anyways, as you said to.

My computer is back to normal and I couldn't be happier with it! I assume there's nothing more I need to do??

I'm so happy I'm considering making a donation (in your name & honor) to SpywareInfo.com

Thanks again, and let me know if I can do anything for you! :)

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 02:57 PM

You're welcome - glad to help :D

With only HJT running, have it fix these items then you will be good to go:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\nncf.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {CF1B24A1-62BF-4642-AB7B-9791A5473086} - c:\windows\system32\nncf.dll (file missing)


Have a look at Tony's article here, contains a lot of useful recommendations on staying clean:

So how did I get infected in the first place?
Posted Image

#11 smiggy

smiggy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 06:00 PM

Thanks Again! I'm sure my registry hasn't been this clean in a while... Thanks! :)

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 06:03 PM

You're welcome - glad to help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button