Jump to content

Build Theme!
  •  

Photo

About:blank Hijack - Please Help!


  • This topic is locked This topic is locked
14 replies to this topic

#1 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 07 May 2004 - 04:47 PM

I cannot get rid of the about:blank hijacking that keeps re-directing my browser window (and the associated pop-up that helpfully directs me to buy spywear). Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 6:16:41 PM, on 5/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\YKK USA INC\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSSQL2000\Binn\sqlservr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\S3trayhp.exe
C:\WINNT\essspk.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ogfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ogfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ogfh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ogfh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ogfh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ogfh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 32.84.234.130 NUM1ISL0
O1 - Hosts: 32.84.234.131 NUMANS00
O1 - Hosts: 32.84.234.132 NUMAFTF0
O1 - Hosts: 32.84.234.133 NUMAISF0
O1 - Hosts: 32.84.234.134 BNNCAH01
O1 - Hosts: 32.84.234.135 NUMAHQL0
O1 - Hosts: 32.84.234.136 NUMAHQF0
O1 - Hosts: 32.84.234.133 NUMAISL0
O1 - Hosts: 32.84.234.138 NUMCNS01
O1 - Hosts: 32.84.234.139 NUMCNSF0
O1 - Hosts: 32.84.234.141 NUCHISL0
O1 - Hosts: 32.84.234.142 NUCHISF0
O1 - Hosts: 32.84.234.143 NULYISL0
O1 - Hosts: 32.84.234.144 NULYISF0
O1 - Hosts: 32.84.234.145 NUANISL0
O1 - Hosts: 32.84.234.146 NUANISF0
O1 - Hosts: 32.84.234.148 YKKUSAATL
O1 - Hosts: 32.84.234.147 NADBNS02
O1 - Hosts: 32.84.234.137 NAATTCS1
O2 - BHO: (no name) - {6BC07EC7-2266-467B-9E91-9307084C5BA5} - C:\WINNT\system32\ogfh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: YKK USA INC VPN Client.lnk = C:\Program Files\YKK USA INC\VPN Client\ipsecdialer.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8043.5428472222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YKKNCA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = YKKNCA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = YKKNCA.COM

Any help would be appreciated!

melvindog

Similar Topics: About:blank Hijack - Please Help!     x


#2 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 07 May 2004 - 05:46 PM

BTTT - sorry, I am desperate...

#3 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 07 May 2004 - 09:28 PM

This is the notebook that I got after running the runme.bat, option 1 off of the PV: Module information for 'Explorer.EXE' MODULE BASE SIZE PATH Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3700.6690 Windows Explorer ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API KERNEL32.DLL 7c570000 753664 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 Windows NT BASE API Client DLL RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 Windows 2000 USER API Client DLL SHLWAPI.DLL 70a70000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1400 Shell Light-weight Utility Library msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft ® C Runtime Library COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.6717 Shim Engine DLL AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.6717 Windows 2000 Shim Accessory DLL WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.6906 Microsoft OLE for Windows SHELL32.dll 782f0000 2392064 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 Windows Shell Common Dll CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522 cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent SHDOCVW.DLL e60000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1400 Shell Doc Object and Control Library browseui.dll 71500000 1036288 C:\WINNT\system32\browseui.dll 6.00.2800.1400 Shell Browser UI Library USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv URLMON.DLL 1a400000 499712 C:\WINNT\system32\URLMON.DLL 6.00.2800.1400 OLE32 Extensions for Win32 VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL mshtml.dll 63580000 2818048 C:\WINNT\system32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer WININET.DLL 63000000 614400 C:\WINNT\system32\WININET.DLL 6.00.2800.1405 Internet Extensions for Win32 CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows™ Telephony API Client DLL RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL netapi32.dll 75170000 323584 C:\WINNT\system32\netapi32.dll 5.00.2195.6897 Net Win32 API DLL SECUR32.DLL 7c340000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface NETRAP.DLL 751c0000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL NETSHELL.dll 76f20000 487424 C:\WINNT\system32\NETSHELL.dll 5.00.2195.6604 Network Connections Shell webcheck.dll 70340000 266240 C:\WINNT\system32\webcheck.dll 6.00.2800.1106 Web Site Monitor MSI.DLL 1b80000 2113536 C:\WINNT\system32\MSI.DLL 2.0.2600.1183 Windows Installer stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.6601 Systray shell service object BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.6601 Battery Meter Helper DLL SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.6601 Power Profile Helper DLL WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter es.dll 76290000 249856 C:\WINNT\System32\es.dll 2000.2.3511.0 TxfAux.Dll 6de80000 409600 C:\WINNT\System32\TxfAux.Dll 2000.2.3511.0 Support routines for TXF rsabase.dll 7ca00000 143360 C:\WINNT\system32\rsabase.dll 5.00.2195.6619 Microsoft Base Cryptographic Provider (Export Version) mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3502.6601 My Documents Folder UI sdchook.dll 64640000 53248 C:\Program Files\support.com\bin\sdchook.dll 5,5,623,0 sdchook ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode) shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6601 Microsoft® Lan Manager NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.6601 NT LM UI Common Code - GUI Classes NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.6655 Windows 2000 IMM32 API Client DLL CfgMgr32.dll 770b0000 28672 C:\WINNT\system32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL dsquery.dll 717f0000 172032 C:\WINNT\system32\dsquery.dll 5.00.2195.6622 Directory Service Find comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL dsuiext.dll 717c0000 122880 C:\WINNT\system32\dsuiext.dll 5.00.2195.6611 Directory Service Common UI NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS ACTIVEDS.dll 773b0000 192512 C:\WINNT\system32\ACTIVEDS.dll 5.00.2195.6601 ADs Router Layer DLL ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver browselc.dll 71960000 73728 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Shell Browser UI Library WINTRUST.dll 76930000 176128 C:\WINNT\system32\WINTRUST.dll 5.131.2195.6824 Microsoft Trust Verification APIs IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper jscript.dll 6b700000 487424 C:\WINNT\System32\jscript.dll 5.1.0.8513 Microsoft ® JScript powercfg.cpl 65050000 110592 C:\WINNT\system32\powercfg.cpl 5.00.3502.6601 Power Management Configuration Control Panel Applet imgutil.dll 70510000 40960 C:\WINNT\system32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL sdcidle.dll 5fff0000 57344 C:\Program Files\support.com\bin\sdcidle.dll 1, 0, 0, 4 Idle DLL wzshlext.dll 10000000 45056 C:\PROGRA~1\WinZip\wzshlext.dll CRTDLL.dll 74fa0000 159744 C:\WINNT\system32\CRTDLL.dll 4.00 Microsoft C Runtime Library WZCAB2.DLL 40000000 36864 C:\PROGRA~1\WINZIP\WZCAB2.DLL 2, 0, 0, 0 WinZip CAB Detection and Extractor LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking USP10.DLL 66650000 344064 C:\WINNT\system32\USP10.DLL 1.0325.2195.6692 Uniscribe Unicode script processor actxprxy.dll 703d0000 110592 C:\WINNT\system32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library webvw.dll 658f0000 1130496 C:\WINNT\System32\webvw.dll 5.00.2920.0000 Shell WebView Content & Control Library docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2 MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 Microsoft Video for Windows DLL AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Microsoft AVI File support library faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider THANKS...

#4 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 08 May 2004 - 04:43 AM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the following fields:
-Size:
-Value:

#5 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 May 2004 - 09:38 AM

Man - this thing has been grinding for about twenty minutes (left panel is shaking like a leaf). Is this OK or should I evacuate? (No results yet..)

#6 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 08 May 2004 - 09:52 AM

That's not normal - try it again.

#7 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 May 2004 - 09:57 AM

OK - now it won't let me put in the last part of the address AppInit_DLLs.

Hmmm....

#8 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 08 May 2004 - 10:00 AM

Let's try a different approach. Click here and download 'Find-All.zip'. Unzip and run the 'findall.bat' file inside. It'll run for a while and generate a file called output.txt - save it and post it here. Next, run the 'regsrch.vbs' file and enter this name into the search: ogfh.dll and proceed to search. It'll run for a while and generate report as well. Post that also.

#9 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 May 2004 - 10:04 AM

Here we go: --===**'FIND-ALL' VERSION 2, 5/04**===-- System Info: C: "" (8867:C0FA) - FS:NTFS clusters:4k Total: 19 715 993 600 [18G] - Free: 15 946 768 384 [15G] Locked file(s) found... \\?\C:\WINNT\System32\COMNOC.DLL +++ File read error REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{616E3D2E-5F79-4F83-9841-F67321918726}] REGEDIT4 [HKEY_CLASSES_ROOT\PROTOCOLS\Filter] [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream] "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus] "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload] "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler] @="AP Class Install Handler filter" "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate] @="AP Deflate Encoding/Decoding Filter " "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip] @="AP GZIP Encoding/Decoding Filter " "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml] @="AP lzdhtml encoding/decoding Filter" "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html] "CLSID"="{1BFE5C3B-84F2-4E14-A983-058D60F2FEA2}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain] "CLSID"="{1BFE5C3B-84F2-4E14-A983-058D60F2FEA2}" [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml] @="WebView MIME Filter" "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} C:\WINNT\system32\mscoree.dll application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} C:\WINNT\system32\mscoree.dll application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} C:\WINNT\system32\mscoree.dll Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} C:\WINNT\system32\urlmon.dll deflate {8f6b0360-b80d-11d0-a9b3-006097942311} C:\WINNT\system32\urlmon.dll gzip {8f6b0360-b80d-11d0-a9b3-006097942311} C:\WINNT\system32\urlmon.dll lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} C:\WINNT\system32\urlmon.dll text/html {1BFE5C3B-84F2-4E14-A983-058D60F2FEA2} C:\WINNT\system32\bfoc.dll text/plain {1BFE5C3B-84F2-4E14-A983-058D60F2FEA2} C:\WINNT\system32\bfoc.dll text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} %SystemRoot%\system32\shell32.dll {1BFE5C3B-84F2-4E14-A983-058D60F2FEA2} C:\WINNT\system32\bfoc.dll {616E3D2E-5F79-4F83-9841-F67321918726} C:\WINNT\system32\bfoc.dll {1BFE5C3B-84F2-4E14-A983-058D60F2FEA2} C:\WINNT\system32\bfoc.dll {616E3D2E-5F79-4F83-9841-F67321918726} C:\WINNT\system32\bfoc.dll _______________________________ {616E3D2E-5F79-4F83-9841-F67321918726} C:\WINNT\system32\bfoc.dll --==***Probable "bad" file will be represented as C:\WINNT...System32...XXXX.dll***==-- Handle v2.2 Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ WINLOGON.EXE pid: 188 NT AUTHORITY\SYSTEM 4c: Section \BaseNamedObjects\2626415767 144: File C:\WINNT\system32 1f8: Section \BaseNamedObjects\mmGlobalPnpInfo 244: File C:\WINNT\system32\dllcache 258: Section \BaseNamedObjects\WDMAUD_Callbacks 270: File C:\Program Files\Internet Explorer 274: File C:\WINNT\system32\inetsrv 278: File C:\Program Files\Common Files\Microsoft Shared\Triedit 27c: File C:\WINNT\system32 280: File C:\WINNT\twain_32\miitwain 284: File C:\WINNT\system32\drivers 308: File C:\WINNT\twain_32\logiscan 4a8: File C:\Program Files\Common Files\Microsoft Shared\MSInfo 4ac: File C:\Program Files\NetMeeting 4b0: File C:\Program Files\Windows NT\Pinball 4b4: File C:\WINNT\system32\rpcproxy 4b8: File C:\WINNT\Speech 4bc: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm 4c0: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm 4c4: File C:\WINNT\msagent 4c8: File C:\WINNT\msagent\intl 4cc: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut 4d0: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut 4d4: File C:\WINNT\system 4d8: File C:\WINNT\Help 4dc: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin 4e0: File C:\WINNT\system32\wbem 4e4: File C:\WINNT\system32\Com 4e8: File C:\WINNT\system32\Setup 4ec: File C:\Program Files\Outlook Express 4f0: File C:\Program Files\Common Files\Microsoft Shared\DAO 4f4: File C:\WINNT 4f8: File C:\Program Files\Windows NT 4fc: File C:\WINNT\system32\drivers\disdn 500: File C:\Program Files\Common Files\System 504: File C:\WINNT\Fonts 508: File C:\WINNT\system32\os2\dll 50c: File C:\WINNT\inf 510: File C:\WINNT\system32\export 514: File C:\WINNT\twain_32\fjscan\fcpa 518: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp 51c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar 520: File C:\Program Files\microsoft frontpage\version3.0\bin 524: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts 528: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts 52c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi 530: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033 534: File C:\WINNT\system32\mui\0009 538: File C:\Program Files\Internet Explorer\Connection Wizard 53c: File C:\WINNT\ime\imejp 540: File C:\Program Files\Windows Media Player 544: File C:\WINNT\mww32\manager 548: File C:\Program Files\Common Files\System\msadc 54c: File C:\Program Files\Common Files\System\ado 550: File C:\Program Files\Common Files\System\Ole DB 554: File C:\Program Files\Common Files\Microsoft Shared\SpeechEngines\TTS 558: File C:\WINNT\mww32\modem 55c: File C:\WINNT\system32\npp 560: File C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} 564: File C:\WINNT\system32\rocket 568: File C:\WINNT\system32\spool\drivers\color 56c: File C:\WINNT\AppPatch 570: File C:\WINNT\system32\spool\prtprocs\w32x86 574: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin 578: File C:\Program Files\Common Files\Microsoft Shared\VGX 57c: File C:\Program Files\Windows NT\Accessories\ImageVue 580: File C:\Program Files\Windows NT\Accessories 6f0: Section \BaseNamedObjects\__R_0000000000d0_SMem__  Thanks...

#10 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 May 2004 - 10:14 AM

Ran the search for ogfh.dll, and the pop up thing said "Search completed in 101 seconds. No instances of ogfh.dll found". One thing that bears mentioning is last night, after I posted the logs, in a fit of desperation I ran CW Shredder. It got rid of the about:blank problem for a while, then it came back. I understand that this action can cause it to morph (?).

#11 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 08 May 2004 - 10:15 AM

Try this. Use the Registrar Lite program you downloaded earlier. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Rename the Windows key in the left pane to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

"C:\WINDOWS\System32\COMNOC.DLL", hit 'apply' and 'ok' to set.

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer

If all goes well the hidden process will not run at startup and you should now be able to find and *see* the 'COMNOC.DLL' in C:\WINDOWS\System32.

Run findall.bat again and post a new log. Let me know if you can now see it.

#12 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 May 2004 - 10:27 AM

Man, I have really screwed something up. I renamed the file NotWindows in the left pane, tried to get to the AppInits_DLLs, and now Windows doesn't even show up any more in the left pane. I am sure it is my fault, but now what??

#13 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 08 May 2004 - 10:48 AM

:scratch: I'm not sure what's going on there. Try this tool instead.

http://www.safer-net...?page=regalyzer

Use it to rename the key back to Windows.

#14 melvindog

melvindog

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 08 May 2004 - 10:58 AM

Hey Daemon - I am WAY out of my league here. Going to take the laptop to a local guy, all sorts of bad things are happening to the computer now. May have to do a complete system re-install. I would really like five minutes in a room with the guy that felt like he needed to come up with this carp**. THANKS for you help. melvindog

#15 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 08 May 2004 - 11:01 AM

OK if you prefer. Hope you get it fixed up.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users