Jump to content


Photo

morgan.cc, webdialer, about:blank and .dll hijack


  • Please log in to reply
3 replies to this topic

#1 anonymous_coward

anonymous_coward

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 June 2004 - 12:20 AM

a ruthless hijack this one is. Normally i can get rid of them, but this one to no avail. Spybot says:

Error during check!: Common hijacker (Datei C:\WINDOWS\System32\drivers\etc\hosts kann nicht ge÷ffnet werden. The process cannot access the file because it is being used by another process) ()
 

WebDialer: Settings (Registry value, nothing done)
  HKEY_USERS\S-1-5-21-95811027-857070503-2660678412-1005\Software\Microsoft\Internet Explorer\Main\HOMEOldSP


my HiJack this log looks like this (deleting them does nothing, it comes back):

Logfile of HijackThis v1.97.7
Scan saved at 12:17:53 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
D:\Programs Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\AGRSMMSG.exe
D:\Programs Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\ISS\BlackICE\blackice.exe
D:\PROGRA~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Unreal3.2\wircd.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\steve\Desktop\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fof.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fof.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fof.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fof.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fof.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fof.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=12.111.76.1:80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {744C9851-68E6-41D6-B82B-3454B6B62F9C} - C:\WINDOWS\System32\fof.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programs Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programs Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [FamilyKeyLogger] C:\Program Files\FamilyKeyLogger\cisvc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ntldr] C:\WINDOWS\System32\ntldr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab


and pretty much AdAware finds nothing....

I tried the 'follow along' about downloading Registrar Lite, and killbox - but once killbox restarted my computer (after deleting the .dll file) all the spyware stuff was still there. However, registrar lite shows no .dll file in the Value of that registry specified in the follow along.

I think im hammered pretty good, can you guys help?!

#2 anonymous_coward

anonymous_coward

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 June 2004 - 06:20 PM

still searching if anyone has a resolution

#3 meso

meso

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 June 2004 - 06:37 AM

I'm running win98 and had this problem (or similar) with the blank:about page loading up a search window ('search for...'), which actually turned out to be creating C:\windows\temp\sp.html every time I loaded IE.

I found the 'HOMEOldSP' values in the registry too, deleted them, and even deleted the sp.html entries too.

Eventually I found recently created dll's in the C:\windows and c:\windows\system directory (I understand that this hijack changes the names of the dll's)

So I used a program called 'taskinfo' (from www.iarsn.com) to see what currently running processes were using this dll. I closed those processes (most were IE windows), and then deleted registry entries for joeb.dll (the dll name in question, yours may vary), then ran 'regsvr32 /u joeb.dll' and rebooted. My particular blank:about hijack is fixed.

Interestingly enough, the latest reference file from Ad-Aware (as of today) picked up registry key changes as a result of the hijack, but didnt fix the hijack.

Anyhow hope this is of some help to you.

#4 alef-thau

alef-thau

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 07:07 AM

It's very easy,

You have to open the dll file "fof.dll" in the folder c:\WINDOWS\System32\ with notepad.
Select all (CTRL+A) delete everything and save
Then edit your registry with regedit and find the line:
O2 - BHO: (no name) - {744C9851-68E6-41D6-B82B-3454B6B62F9C} - C:\WINDOWS\System32\fof.dll and delete it

Or try to find all the line which contain fof.dll and delete it

Restart your computer

After that delete the file c:\WINDOWS\System32\fof.dll

You can delete the file sp.html which is in your temp folder
Change your default page in IE

GO to regedit and delete all the line containing sp.html

That's all :bounce: :bounce:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button