Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log check...


  • Please log in to reply
20 replies to this topic

#1 Epyon3000

Epyon3000

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 21 February 2005 - 03:11 PM

I already know that I've got that "about:blank" hijacker thing, and that I'm not the only one. I'm going to scan around to see if any suggestions here work for me. However, I would like someone to look over my HJT log, to see if there's anything I don't know about, or anyway to improve. I've already run Adaware and Spybot twice, and Adaware keeps finding the same things.

Any help offered will be greatly appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 3:05:36 PM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\My Downloads\HijackThis199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FFFE0210-F65F-4CE8-94C1-8C46E653C843} - C:\WINDOWS\system32\fkpl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 23 February 2005 - 06:00 PM

Download the attached file and safve it to your c: drive. Then extract it and double click on the save.bat file. When it is done it will open a C:\bleeping folder. Zip up those files and submit them at http://www.bleepingcomputer.com/submit-malware.php

Attached Files

  • Attached File  save.bat   206bytes   26 downloads


#3 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 23 February 2005 - 07:36 PM

I have sent the file.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 23 February 2005 - 09:23 PM

Can you tell me if this file exists:

C:\WINDOWS\system32\sqllnpb.dll

If so can you submit it?

#5 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 24 February 2005 - 01:49 AM

I checked, but I couldn't find that file in there, or anywhere on my computer.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 24 February 2005 - 10:13 AM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and if there is a dll listed there, erase it and press ok.

Then reboot and check that registry key again and tell me if the value is back? if it is not, see if you can see the file. if you can submit it.

#7 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 24 February 2005 - 03:50 PM

The value came back. I still can't see the file.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 24 February 2005 - 07:34 PM

Step 1:

Please download this file:

http://computercops.biz/modules.php?name=F...ownload&id=1183

and then sign off the internet if you are using a dialup type connection.

Unzip the downloaded file to c:\hiving and you should now have a file hiving.bat in that c:\hiving folder. Double-click on the hiving.bat file and let it run. If you have script blocking enabled you will get a warning about whether or not you should let it run. Allow the entire script to run once. When it is done, the script will produce a message box letting you know.

Now reboot your computer. After it reboots the hidden file that was reinfecting your computer will no longer be visible.

Then continue to the next step.

Step 2:

Restart the Computer.

Find this file:

C:\WINDOWS\system32\sqllnpb.dll

If you are using Windows XP Pro or 2000:

Right click on this file and select Properties. When you are in the properties of the file, select the Security tab.

Click on the Users group and then in the permissions section select Full Control. Now do this same thing with the Administrators group.

Now try to delete the file C:\WINDOWS\system32\sqllnpb.dll. If that fails go back into the security tab like before, and this time click on the Advanced button and then click on the Owner tab. Select your name in the list, and press the Apply button. Now try to delete it again.

If you are using XP Home:

XP Home does not have the security tab, so just right click on the file, and select Properties. Then uncheck the Read Only checkbox, press OK and try deleting it.

#9 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 24 February 2005 - 09:25 PM

Ok, the file is there now. However, I'm running XP Pro, but when I go into Properties, there is no Security tab. I tried the XP Home instructions, but the file won't let me uncheck Read Only.

I'm sorry if I'm being a bother, or anything like that. I appreciate all the help you've given me so far.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 24 February 2005 - 11:21 PM

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\sqllnpb.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

#11 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 25 February 2005 - 12:18 AM

Did that. The file is still there.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 25 February 2005 - 08:56 AM

When you went into safe mode did you take ownership of the file first?

#13 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 25 February 2005 - 10:59 AM

I didn't know I had to go into Safe Mode. How do I take ownership of the file?

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:26 PM

Posted 25 February 2005 - 11:12 AM

Downlaod this tools:

http://securityresponse.symantec.com/avcenter/FxAgentB.exe

Run it and post the log it creates as a reply to this post.

#15 Epyon3000

Epyon3000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 25 February 2005 - 12:19 PM

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


Backdoor.Agent.B has not been found on your computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users