• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
comicscotty477

HOMEPAGE HIJACK 2 about.com

4 posts in this topic

Hi there

 

This is a continuation of an existing problem that I hadposted on the old board.

 

My homepage has been hijacked to 'about.com', and has resisted all my efforts to get rid of it.

 

Trusted advisor OLTramp was kindly helping me out in the prevoius thread and took the time to let me know about a new fix for the problem using dllfix.

 

 

 

He asked me to post the dllfix output.txt and logs.txt and a new hijackthis log, so here they are.

 

OUTPUT TEXT:

 

--===**'FIND-ALL' VERSION 3, 5/11**===--

 

 

Sun May 16 03:08:07 2004 -- Results:

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "WINXP" (245E:18FB) - FS:FAT clusters:8k

Total: 10 000 343 040 [9.3G] - Free: 5 473 124 352 [5.1G]

 

 

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COMNFO.DLL +++ File read error

\\?\C:\WINDOWS\System32\COMNFO.DLL +++ File read error

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6F1B9A9A-5DE5-4698-A0D3-14D1FB06A245}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{21E356C0-AA84-451A-864D-047CB4DDA714}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{21E356C0-AA84-451A-864D-047CB4DDA714}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

LOGS TEXT:

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

 

Sun May 16 03:08:29 2004 -- Results:

Backing up Registry Hive

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

Running from C:\ANTI MALAWARE PROGS\dllfix

Scanning for bad files in system32 1st pass

File found was: C:\WINDOWS\System32\COMNFO.DLL

Md5 Check of C:\WINDOWS\System32\COMNFO.DLL

 

File was found but md5 didnt match

MD5 was: 1DE9A8E24C8260067A479B09577D9CAE

Resetting file attributes

File was zipped for submission to Shadowwar

File is located at C:\ANTI MALAWARE PROGS\dllfix\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

 

LATEST HIJACKTHIS LOG:

 

Logfile of HijackThis v1.97.7

Scan saved at 04:20:15, on 16/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Creative\ShareDLL\MediaDet.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"

O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

Thanks for looking. I'm sure that there will be quite a few members with a similar problem hoping (as I am) that this fix works and gets rid of the hijack for good :)

Share this post


Link to post
Share on other sites

:):):):):):)

 

Well so far so good. I've rebooted my machine a few times and the homepage is still what I want it to be. Normally it reverts back to about.com straight after I switch the PC on.

 

The new dllfix appears to have had a positive effect :D

 

There's still a few dodgy lines on my hjt log, such as these,

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

 

 

The bocnbaa.dll was one of the things that Ad-aware 6.0 isolated as being a coolweb infection.

 

If there are any helpers looking at this can you let me know if I should be doing anything with hjt?

 

Thanks in advance.......

Share this post


Link to post
Share on other sites

Hi Scotty

Sorry it took so long but there were board changes,etc.

First hit ctrl,alt,del and end task on C:\WINDOWS\System32\MSZTCE.EXE

Close all browsers and rerun HJT. Check and click fix checked for the following-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\bocnbaa.dll/sp.html (obfuscated)

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE

Restart your computer in safe mode ,show all hidden files and delete-

C:\WINDOWS\System32\MSZTCE.EXE<=File

According to dvk01 it may be hard to find. Look here for hints opn finding it.

http://www.wilderssecurity.com/showthread....5089#post165089

Hopefully that is it. B)

Share this post


Link to post
Share on other sites

Due to the time passed without a response to this topic, I will be closing it. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0