Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c1don.ewizard.cc hijack


  • This topic is locked This topic is locked
40 replies to this topic

#1 Dazarooni

Dazarooni

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 05 July 2004 - 02:22 PM

Hi.

I am sorry i havent been able to get back sooner. I have moved house and have had a few weeks downtime. I believe Grinler was helping me with my prob- which i still have. I am very grateful and would appreciate some further assistance.

I have Hijack this, adaware, spybot s+d, have downloaded CWS shredder but when i click on it, it says i have a version of smartsearch x2 that is trying to close it and CWshredder renames itself to random text, it still opens but half way through the scan it keeps coming up with '''''' CoolWebSearch removal tool has encountered a problem and needs to close, we are sorry for any inconvenience..'''' i have tried downloading from various locations but it does the same thing every time, so it doesnt allow me to complete the scan + fix.

when i fix the problem areas after running Hijack this, i then run adaware and it gets rid of it for a while, but after rebooting it keeps coming back. the dll file keeps changing its name after a reboot, i keep trying to delete it but it always comes back. im getting the about:blank with a search portal for the home page, and lots of popups from c1don.ewizard.cc

here is my LOG.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\devine\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D81BD16-6A83-4107-8730-B32E063B41F8} - C:\WINDOWS\System32\iffn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [2tS] C:\Documents and Settings\devine\Local Settings\Temp\2tS.exe
O4 - HKLM\..\Run: [1742Gn] c:\docume~1\devine\locals~1\temp\1742Gn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O9 - Extra button: Packard Bell (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E403DE1C-C4E0-47C8-B75E-6E405DAD9455}: NameServer = 62.55.80.67 193.189.244.197

this really is getting on my nerves.

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 05 July 2004 - 02:39 PM

Please download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

#3 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 05 July 2004 - 02:43 PM

i get a broken link when i click on that link, and as ive said, any time i try to run cwshredder i get a '''' COOLWEBSEARCH REMOVAL TOOL HAS ENCOUNTERED A PROBLEM AND NEEDS TO CLOSE , WE ARE SORRY FOR ANY INCONVENIENCE..''''''
i cant access spywareinfo.com. i get a 'cannot find server' error. same happens with the merjin link you have given me. its been happening for a week or so now.

i have heard that some new variants of coolwebsearch kill the connection to certain websites?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 05 July 2004 - 04:39 PM

Dont worry I cant access the site as well.

Download and run this tool. Then download cwshredder from the link below:

http://www.bleepingcomputer.com/files/spyware/CWShredder.zip

#5 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 05 July 2004 - 05:02 PM

you said 'download and run this tool' then download cwshredder. but you didnt put a link after you said download and run this tool?

downloaded cwshredder again..
tried running...

this is what i get .. "CoolWebSearch hijacker removal tool has encountered a problem and needs to close. we are sorry for any inconvenience caused"

it does this ALL THE TIME.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 05 July 2004 - 05:13 PM

Sorry, download this tool first:

http://www.safer-networking.org/files/delcwssk.zip

and then run it

#7 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 05 July 2004 - 05:27 PM

erm... i downloaded it and tried running it.. ------> coolwwsearch smartkiller has not been found on your system


crikey. lol

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 05 July 2004 - 05:46 PM

Download and install Ad-aware and make sure you update and scan with that . Then post a new log.

#9 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 05 July 2004 - 05:54 PM

ad aware gets rid of it for a while but it keeps coming back. the dll file keeps changing names on reboot. theres no point in posting my HJT log becuase although it will show everything ok, on reboot the problem comes back

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 05 July 2004 - 07:06 PM

Reboot so the infection comes back and post the complete hijackthis log you create. The last one you posted did not include the version of windows you are running so I can not advise the proper tool you should use.

#11 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 06 July 2004 - 01:58 PM

Here ya go..

Logfile of HijackThis v1.97.7
Scan saved at 19:56:51, on 06/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Documents and Settings\devine\Local Settings\Temp\2tS.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\devine\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\devine\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F81A7AC-6576-4DD0-866D-60CBB1CC00F7} - C:\WINDOWS\System32\egb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [2tS] C:\Documents and Settings\devine\Local Settings\Temp\2tS.exe
O4 - HKLM\..\Run: [1742Gn] c:\docume~1\devine\locals~1\temp\1742Gn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Packard Bell (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E403DE1C-C4E0-47C8-B75E-6E405DAD9455}: NameServer = 62.55.80.67 193.189.244.197

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 06 July 2004 - 03:10 PM

Please do the following:

Download the program FindNFix from the following location:
http://freeatlast100.100free.com/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#13 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 06 July 2004 - 04:23 PM

Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2600.0000
The type of the file system is NTFS.
C: is not dirty.

06/07/2004
10:05pm up 0 days, 2:42

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\RESOEA.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESOEA.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT
RESOEA.DLL Can't Open!

(*3*) ........

C:\WINDOWS\SYSTEM32\
resoea.dll Thu 3 Jun 2004 20:24:22 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K


C:\WINDOWS\SYSTEM32\
resoea.dll Thu 3 Jun 2004 20:24:22 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\RESOEA.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\RESOEA.DLL

(*5*)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
Access denied ..................... RESOEA.DLL .....57344 03.06.2004

*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group DARYL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Notepad check....

C:\WINDOWS\
notepad.exe Sat 18 Aug 2001 12:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Sat 18 Aug 2001 12:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Sat 18 Aug 2001 12:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DARYL\devine
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: DARYL\devine

Primary Group: DARYL\None



Backups created...
10:07pm up 0 days, 2:44
06/07/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-06-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-06-2004 winkey.reg

Performing string scan....
00001150: vk > f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ r e s o e a . d l l
000011D0: e V h vk UDeviceNotSelectedTimeout
00001210: 1 5 P 9 0 vk ' zGDIProce
00001250:ssHandleQuota" vk Spooler2 y e s _
00001290: h 0 ` vk 5swapdisk vk
000012D0: . TransmissionRetryTimeout h 0 `
00001310: vk ' t USERProcessHandleQuotal
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fAppInit_DLLs֍GC
--------------
--------------
C:\WINDOWS\System32\resoea.dll
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


**File C:\FINDnFIX\WIN.TXT
regf       3|33p3 33 p 3p3(3*Z%


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 PM

Posted 06 July 2004 - 04:32 PM

Now that we know what the offending file is, we can move to the next step.

Please open the FindNFix folder which can be found at c:\findnfix.

Inside that folder will be another folder called keys1. Please double-click on that folder.

When that folder opens you will see another file called MOVEit.bat. Right-click on the MOVEit.bat file and click on Edit. This will open up notepad with the contents of that file inside it.

Copy and paste the following line into that file, replacing the current line inside it already.

move C:\WINDOWS\System32\RESOEA.DLL %SystemDrive%\junkxxx\RESOEA.DLL

Then click on File and Save and exit notepad.

The next step will reboot your computer, so please do not continue until you have shut down any programs or saved any data that needs to be saved.

Then double-click on the file Fix.bat contained in the same folder as MOVEit.bat.

You will get an alert that your computer will reboot in about 20 seconds. Allow the computer to reboot.

When the computer has rebooted and you are at the desktop. Open up the c:\findnfix folder again and double-click on the RESTORE.bat file.

When it is finished, open the c:\findnfix folder again and double click on the Log1.txt file found there. This will open up notepad. Please post all of the contents of the notepad that opens in a reply to this topic.

#15 Dazarooni

Dazarooni
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 06 July 2004 - 05:08 PM

here it is :thumbsup:



06/07/2004
11:04pm up 0 days, 0:04

Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2600.0000
The type of the file system is NTFS.
C: is not dirty.

***LOG1!***
Scanning for file(s) in System32...

(1)
\\?\C:\WINDOWS\System32\RESOEA.DLL +++ File read error
C:\WINDOWS\System32\RESOEA.DLL +++ File read error

(2)
**File C:\FINDnFIX\LIST.TXT
RESOEA.DLL Can't Open!

(3)

C:\WINDOWS\SYSTEM32\
resoea.dll Thu 3 Jun 2004 20:24:22 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

C:\WINDOWS\SYSTEM32\
resoea.dll Thu 3 Jun 2004 20:24:22 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\RESOEA.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\RESOEA.DLL


(5)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
Access denied ..................... RESOEA.DLL .....57344 03.06.2004

* Scanning for moved file... *



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\JUNKXXX\*.*


rem replace this entire line with your given command...



File not found - C:\junkxxx\*.*

Permissions:
There are no more files.

ERROR: There are no more files.

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DARYL\devine
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000009 --o- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: DARYL\devine

Primary Group: DARYL\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\resoea.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINDOWS\System32\resoea.dll

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Notepad check....

C:\WINDOWS\
notepad.exe Sat 18 Aug 2001 12:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Sat 18 Aug 2001 12:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Sat 18 Aug 2001 12:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' t USERProcessHandleQuotal h X
000012D0: vk > f AppInit_DLLs G C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ r e s o e a . d l l x
00001350: 0 X X
00001390: B U I L T I N O pL L
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fAppInit_DLLs֍GC

---------- NEWWIN.TXT
fAppInit_DLLs֍GC
--------------
?\C:\j
yes
C:\WINDOWS\System32\resoea.dll
BUILTINO
NT AUTHORITY
BUILTIN
ILTIN
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
000012F0: 01 00 00 00 01 00 66 F9 . 5F 44 4C 4C 73 D6 8D E6 ......f _DLLs֍
**File C:\FINDnFIX\NEWWIN.TXT
_vk    5swapdisk h    X vk     . TransmissionRetryTimeoutvk  '   t USERProcessHandleQuotal h    X   vk >    fAppInit_DLLs֍GC : \ W I N D O W S \ S y s t e m 3 2 \ r e s o e a . d l l  x   0   X X   B U I L T I N O     pL   L        ޙ        I W      ,X   8X TX N T A U T H O R I T Y  \X X \X LMEM X       gA LdI   X   X X B U I L T I N   X X X LMEMX  4ͫ #Eg ] +H`     X      `Y I L T I N *    0 L   x_2   x_2 




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users