Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank problem - zenith's HJT log


  • This topic is locked This topic is locked
23 replies to this topic

#1 zenith38

zenith38

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 15 August 2004 - 12:21 AM

Logfile of HijackThis v1.98.2
Scan saved at 1:15:10 AM, on 8/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\FireDaemon.EXE
C:\WINNT\explore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\Drivers\WTSRV.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {588D26EF-CF64-4306-864C-3D844366240E} - C:\WINNT\system32\ljhbfd.dll
O2 - BHO: kbdelsb - {BDF14488-E748-C124-C537-ABB006E161E1} - C:\WINNT\system32\kbdelsb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [leypqeb] "C:\WINNT\system32\leypqeb.exe"
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [sratingm] C:\WINNT\system32\sratingm.exe
O4 - HKLM\..\Run: [omC] C:\WINNT\system32\omC.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - http://usms.tom.com/smslist.php?user_id=286 (file missing)
O9 - Extra 'Tools' menuitem: ????? ?????? - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - http://usms.tom.com/smslist.php?user_id=286 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\dcfnpmwf.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O18 - Filter: text/html - {181D7F6D-A121-47C0-9DBF-9B6791EA13E7} - C:\WINNT\system32\ljhbfd.dll
O18 - Filter: text/plain - {181D7F6D-A121-47C0-9DBF-9B6791EA13E7} - C:\WINNT\system32\ljhbfd.dll





If you could help me that would be really really good :DD thanks a million.

BC AdBot (Login to Remove)

 


m

#2 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 15 August 2004 - 12:32 AM

What happens is, I boot up, and the screen where it says "windows 2000 professional" loads ten times slower than my other computer.

Once I log in, three rundll errors appear and they say things similar to c:/WINNT/image.dll not found, or something like that. Then I always have to open up task manager and end AdDestroyer.exe, which I thought that Spybot had previously gotten rid of (but I guess it didn't since it's still here.)

I sign on to AIM and the "aim today" window appears which automatically opens an Internet Explorer window that has about:blank as the homepage. Then I get about 3-5 popups. Also, AIM Expressions trigger an internet explorer window to open as well.

I tried changing the about:blank homepage to google.com but it failed and just changed back. Same thing happens when I try to check my email.

Please help!!

#3 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 15 August 2004 - 07:07 AM

Hi, zenith38.

Please download CWShredder - http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Please download and then unzip the program. Close all open browser windows and run the program. Click the "Fix" button and let it fix everything it finds.

Reboot, scan with Hijackthis again and post a fresh log please.

#4 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 24 August 2004 - 10:26 AM

I tried to download CWShredder from http://www.spywareinfo.com/~merijn/files/cwshredder.zip but it seems like SpywareInfo's database is down or something. Do you know of an alternate location where I can download CWShredder or should I wait until SpywareInfo is up again?

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 26 August 2004 - 09:24 PM

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

CWShredder Download Site #1

or

CWShredder Download Site #2

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

CWShredder - How to remove CoolWebSearch with CWShredder

#6 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 28 August 2004 - 10:59 PM

I ran CWShredder and it seems like my homepage has returned (I set it to Google.com and it went to Google.com this time, unlike all the other times when it went to about:blank)

Here is the HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:50:54 PM, on 8/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\FireDaemon.EXE
C:\WINNT\explore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\Drivers\WTSRV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\system32\services\wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EFC415B-BA10-0393-8672-64550CA07544} - C:\WINNT\system32\ngthub.dll
O2 - BHO: kbdelsb - {BDF14488-E748-C124-C537-ABB006E161E1} - C:\WINNT\system32\kbdelsb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [leypqeb] "C:\WINNT\system32\leypqeb.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [unoncer] C:\WINNT\system32\unoncer.exe
O4 - HKLM\..\Run: [3drefd] C:\WINNT\system32\3drefd.exe
O4 - HKLM\..\Run: [1Lb.exe] C:\documents and settings\christine\local settings\temp\1Lb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Wcea] C:\Documents and Settings\Christine\Application Data\ttbs.exe
O4 - HKCU\..\Run: [Lyuibny] C:\WINNT\system32\bwdgdaa.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - http://usms.tom.com/smslist.php?user_id=286 (file missing)
O9 - Extra 'Tools' menuitem: ????? ?????? - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - http://usms.tom.com/smslist.php?user_id=286 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab



Thank you so much for your help so far!! :thumbsup:

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 28 August 2004 - 11:39 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\system32\services\wmplayer.exe
O2 - BHO: (no name) - {6EFC415B-BA10-0393-8672-64550CA07544} - C:\WINNT\system32\ngthub.dll
O2 - BHO: kbdelsb - {BDF14488-E748-C124-C537-ABB006E161E1} - C:\WINNT\system32\kbdelsb.dll
O4 - HKLM\..\Run: [leypqeb] "C:\WINNT\system32\leypqeb.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [unoncer] C:\WINNT\system32\unoncer.exe
O4 - HKLM\..\Run: [3drefd] C:\WINNT\system32\3drefd.exe
O4 - HKLM\..\Run: [1Lb.exe] C:\documents and settings\christine\local settings\temp\1Lb.exe
O4 - HKCU\..\Run: [Wcea] C:\Documents and Settings\Christine\Application Data\ttbs.exe
O4 - HKCU\..\Run: [Lyuibny] C:\WINNT\system32\bwdgdaa.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O9 - Extra button: (no name) - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - http://usms.tom.com/smslist.php?user_id=286 (file missing)
O9 - Extra 'Tools' menuitem: ????? ?????? - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - http://usms.tom.com/smslist.php?user_id=286 (file missing)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab



Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\system32\ngthub.dll
C:\WINNT\system32\kbdelsb.dll
C:\WINNT\system32\leypqeb.exe
C:\Program Files\TV Media\
c:\installer\id53.exe
C:\WINNT\bxxs5.dll
C:\WINNT\system32\unoncer.exe
C:\WINNT\system32\3drefd.exe
C:\documents and settings\christine\local settings\temp\1Lb.exe
C:\Documents and Settings\Christine\Application Data\ttbs.exe
C:\WINNT\system32\bwdgdaa.exe


Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#8 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 29 August 2004 - 09:53 AM

I have followed your instructions, however, I have Windows 2000, so the tutorials on How to Disable/Enable System Restore did not work for me (they are for Windows XP and Windows ME)

So far I have fixed the HJT entries that you asked me to fix, but I have not rebooted in Safe Mode and deleted those files yet. How do I Disable/Enable System Restore in Windows 2000?

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 29 August 2004 - 04:54 PM

Ignore the system restore instructions...my bad. You dont have system restore on win 2000. Just continue with the instructions I gave you

#10 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 30 August 2004 - 01:51 PM

I went restarted in safe mode and deleted the following files:

C:\WINNT\system32\ngthub.dll
C:\WINNT\system32\leypqeb.exe
C:\installer\id53.exe
C:\WINNT\system32\unoncer.exe
C:\WINNT\system32\3drefd.exe
C:\documents and settings\christine\local settings\temp\1Lb.exe
C:\WINNT\system32\bwdgdaa.exe

The following files did not exist:

C:\Program Files\TV Media\
C:\WINNT\bxxs5.dll
C:\Documents and Settings\Christine\Application Data\ttbs.exe

This last file: C:\WINNT\system32\kbdelsb.dll, did exist, but when I tried to delete it, an error came up and said it was in use.

Also, my homepage was hijacked again by the "about:blank" but when I ran CWShredder again, it was returned.

Here is the new HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 1:50:47 PM, on 8/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\FireDaemon.EXE
C:\WINNT\explore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\Drivers\WTSRV.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {24659592-08B4-47F2-BDF6-53FC08126D7E} - C:\WINNT\system32\egal.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: kbdelsb - {BDF14488-E748-C124-C537-ABB006E161E1} - C:\WINNT\system32\kbdelsb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O18 - Filter: text/html - {2A8E060C-B411-49D0-8C91-ACE7D459D450} - C:\WINNT\system32\egal.dll
O18 - Filter: text/plain - {2A8E060C-B411-49D0-8C91-ACE7D459D450} - C:\WINNT\system32\egal.dll

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 30 August 2004 - 02:00 PM

Please do the following:

Download the program FindNFix from the following location:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#12 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 31 August 2004 - 07:32 PM

Here is the log produced by FindNFix:


Tue 31 Aug 04 20:22:08

»»»»»»»»»»»»»»»»»»***LOG!***(*updated *8/26*)»»»»»»»»»»»»»»»»

*System:
Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)
*IE version:
6.0.2800.1106 SP1

The type of the file system is NTFS.


MS-DOS Version 5.00.500

*command.com test passed!

__________________________________
!!*Creating backups...!!

The operation completed successfully
__________________________________

*Local time:
Tuesday, August 31, 2004 (8/31/2004)
8:22 PM, Eastern Daylight Time
*Uptime:
20:22:12 up 1 days, 6:28:47

*Path:
C:\FINDnFIX
----------------------------------------------------
»»Member of...: ("ADMIN" logon + group match required!)

User is a member of group BUFFALO\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

User: [BUFFALO\Christine], is a member of:

BUILTIN\Administrators
\Everyone

Running in WORKSTATION MODE.

SystemDrive is C:
SystemRoot is C:\WINNT
Logon Domain is BUFFALO
Administrator's Name is Christine
Computer Name is BUFFALO
LOGON SERVER is \\BUFFALO

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________

......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........
»»Read access error(s)...

C:\WINNT\SYSTEM32\D3DJC.DLL +++ File read error
\\?\C:\WINNT\System32\D3DJC.DLL +++ File read error

»»»»» (*2*) »»»»»........
D3DJC.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
d3djc.dll Sun Jul 18 2004 2:33:46a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\D3DJC.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»
¯ Access denied ® ..................... D3DJC.DLL .....57344 18.07.2004

»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINNT\SYSTEM32\D3DJC.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...
*List of files and specs according to 'size' :
*Note: Not all files listed here are infected, but *may include* the
name and spces of the offending file...
___________________________________________________________________________
Path: C:\WINNT\SYSTEM32 Including: *.DLL

118. D3djc Dll 57,344 . . R . A 7-18-04 2:33 am

____________________________________________________________________________
*By size and date...


C:\WINNT\SYSTEM32\
d3djc.dll Sun Jul 18 2004 2:33:46a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\D3DJC.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


BHO search and other files...

fgrep: can't open input C:\WINNT\SYSTEM32\D3DJC.DLL
**File C:\WINNT\SYSTEM32\DDMM.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€
**File C:\WINNT\SYSTEM32\LIILKC.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€
**File C:\WINNT\SYSTEM32\LJHBFD.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€


"C:\WINNT\system32\"
ddmm.dll Aug 31 2004 30720 "ddmm.dll"
liilkc.dll Aug 30 2004 30720 "liilkc.dll"
ljhbfd.dll Jul 18 2004 30720 "ljhbfd.dll"

3 items found: 3 files, 0 directories.
Total of file sizes: 92,160 bytes 90.00 K

No matches found.

*sp.html found in temp folder:
--a-- - - - - - 7,976 08-31-2004 sp.html
File: <C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\sp.html>

CRC-32 : 93866C48

MD5 : CE5B5B5B DFD4A959 9F4A95C7 6FA46BD2




*Filter keys search...
REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

--(*text/html Subkey was NOT FOUND!)--

REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

--(*text/plain Subkey was NOT FOUND!)--

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value does not match
________________________________

»»Comparing *saved* key with *original*...

REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

Value "AppInit_DLLs" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" has different lengths (1 vs 28)

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Performing string scan....
00001150: ?
00001190: H x
000011D0: vk R DeviceNotSelectedTimeout 1 5 `
00001210: vk ' i GDIProcessHandleQuota vk
00001250: h Spooler y e s t a vk L
00001290:swapdisk vk f TransmissionRetryTimeout 9 0
000012D0: ` vk ' m USERProcessHandleQuotat vk
00001310:8 0 a AppInit_DLLsa r C : \ W I N N T \ s y s t e
00001350:m 3 2 \ d 3 d j c . d l l / n
00001390:
000013D0:
00001410:
00001450:
00001490: w
000014D0:
00001510:@ w$ w w w wx wH w$ w w wd wL w w w w
00001550: x
00001590:
000015D0:

---------- WIN.TXT
AppInit_DLLsa
--------------
--------------
$011E8: DeviceNotSelectedTimeout
$01230: GDIProcessHandleQuota
$012B0: TransmissionRetryTimeout
$012F0: USERProcessHandleQuotat
$01320: AppInit_DLLsa
--------------
--------------
C:\WINNT\system32\d3djc.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

.............
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINNT\system32\d3djc.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
0020 32 00 5c 00 64 00 33 00 64 00 6a 00 63 00 2e 00 | 2.\.d.3.d.j.c...
0030 64 00 6c 00 6c 00 00 00 | d.l.l...
-----------------------

»»»»»»Backups list...»»»»»»
20:25:56 up 1 days, 6:32:31
-----------------------
Tue 31 Aug 04 20:25:56


C:\FINDNFIX\
keyback.hiv Tue Aug 31 2004 8:22:08p A.... 8,192 8.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 8,192 bytes 8.00 K

C:\FINDNFIX\KEYS1\
winkey.reg Tue Aug 31 2004 8:22:10p A.... 287 0.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0.28 K

*Temp backups...

"C:\Documents and Settings\Christine\Local Settings\Temp\Backs2\"
keyback2.hi_ Aug 31 2004 8192 "keyback2.hi_"
winkey2.re_ Aug 31 2004 287 "winkey2.re_"

2 items found: 2 files, 0 directories.
Total of file sizes: 8,479 bytes 8.28 K
-D---- JUNKXXX 00000000 20:22.10 31/08/2004
A----- STARTIT .BAT 00000060 20:22.10 31/08/2004

________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
-----END------
Tue 31 Aug 04 20:26:00


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 31 August 2004 - 09:36 PM

Now that we know what the offending file is, we can move to the next step.

Please open the FindNFix folder which can be found at c:\findnfix.

Inside that folder will be another folder called keys1. Please double-click on that folder.

When that folder opens you will see a file called Fix.bat. Double-click on that file to start it.

You will get an alert that your computer will reboot in about 15 seconds. Allow the computer to reboot.

When the computer has rebooted and you are at the desktop. Click on the Start menu and select Search. You want to find the file C:\WINNT\SYSTEM32\D3DJC.DL.

When the file is found, select the C:\WINNT\SYSTEM32\D3DJC.DLL file by clicking on it once so it becomes highlighted. Then click on the Edit menu and select the "Move to Folder" option. Scroll down until you see the C: drive and expand, by clicking on the plus sign, that directory, and then expand the FindNFix directory. You should then see under the C:\FindNFix directory a directory called junkxxx. Select that as the final destination and click on the Move button. If you get a warning about the file being read-only, allow it to be moved anyway.

When that is completed, open up the c:\findnfix folder again and double-click on the RESTORE.bat file.

When it is finished, open the c:\findnfix folder again and double click on the Log1.txt file found there. This will open up notepad. Please post all of the contents of the notepad that opens in a reply to this topic.

#14 zenith38

zenith38
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 01 September 2004 - 09:53 AM

When the RESTORE.bat file finished running, a notepad opened on its own and produced a log2.txt:

Wed 01 Sep 04 10:39:59

»»»»»»»»»»»»»»»»»»***LOG2!(*updated *8/26*)***»»»»»»»»»»»»»»»»

*System:
Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195)
*IE version:
6.0.2800.1106 SP1

The type of the file system is NTFS.

___________________________________________
!!Restoring backups!!

The operation completed successfully

The operation completed successfully
___________________________________________

*Local time:
Wednesday, September 01, 2004 (9/1/2004)
10:40 AM, Eastern Daylight Time
*Uptime:
10:40:01 up 0 days, 0:06:06

*path:
C:\FINDnFIX
Running in WORKSTATION MODE.

SystemDrive is C:
SystemRoot is C:\WINNT
Logon Domain is BUFFALO
Administrator's Name is Christine
Computer Name is BUFFALO
LOGON SERVER is \\BUFFALO
------------------------------------------


This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(5)»»»»»

»»»»»(6)»»»»»

»»»»»»» Search by size And Date...

*List of files specs according to size:
*Note: Not all files listed here are infected!
____________________________________________________________________________
Path: C:\WINNT\SYSTEM32 Including: *.DLL


____________________________________________________________________________

No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

BHO search and other files...

**File C:\WINNT\SYSTEM32\DDMM.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€
**File C:\WINNT\SYSTEM32\DOEAA.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€
**File C:\WINNT\SYSTEM32\LIILKC.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€
**File C:\WINNT\SYSTEM32\LJHBFD.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....¶1.€


"C:\WINNT\system32\"
ddmm.dll Aug 31 2004 30720 "ddmm.dll"
doeaa.dll Sep 1 2004 30720 "doeaa.dll"
liilkc.dll Aug 30 2004 30720 "liilkc.dll"
ljhbfd.dll Jul 18 2004 30720 "ljhbfd.dll"

4 items found: 4 files, 0 directories.
Total of file sizes: 122,880 bytes 120.00 K

No matches found.


No matches found.

--*sp.html in temp folder was NOT FOUND!--

*Filter keys search...
REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

--(*text/html Subkey was NOT FOUND!)--

REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

--(*text/plain Subkey was NOT FOUND!)--

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\FINDnFIX\junkxxx\D3DJC.333


C:\FINDNFIX\JUNKXXX\
d3djc.333 Sun Jul 18 2004 2:33:46a A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\D3DJC.333
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\D3DJC.333
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

A----- D3DJC .333 0000E000 02:33.46 18/07/2004

Analyzer v1.36 by Boogie Copyright © 1997 ESP Team
Files: C:\FINDNFIX\JUNKXXX\*.*
Ä
D3DJC.333 MS Windows 95 / Windows NT Exe
Ä


Volume: Local Disk * DDIR * 10:45 am | Wed, 9-01-04
Ser #: 9C62-712E DOS Ver. 5.00 0% Used space
Path: C:\FINDNFIX\JUNKXXX All files selected

1. D3djc 333 57,344 . . . . A 7-18-04 2:33 am

No. of files: 1 | List size: 57,344
Disk size: 976.5 M | Actual spc: 65,024
Bytes free: 976.5 M | Wasted space: 7,680

--a-- W32i - - - - 57,344 07-18-2004 d3djc.333
A C:\FINDnFIX\junkxxx\d3djc.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
D3DJC.333 57344 07-18-104 02:33 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
D3DJC.333 : crc16=3138 crc32=D5C9FB2E

File: <C:\FINDnFIX\junkxxx\d3djc.333>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
»»Permissions:
C:\FINDnFIX\junkxxx\d3djc.333 Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F
Everyone:F

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUFFALO\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUFFALO\None

File "C:\FINDnFIX\junkxxx\d3djc.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUFFALO\None

C:\FINDnFIX\junkxxx\d3djc.333;Everyone:F
C:\FINDnFIX\junkxxx\d3djc.333;NT AUTHORITY\SYSTEM:F
C:\FINDnFIX\junkxxx\d3djc.333;BUILTIN\Administrators:F
C:\FINDnFIX\junkxxx\d3djc.333;NT AUTHORITY\SYSTEM:F[I]
C:\FINDnFIX\junkxxx\d3djc.333;BUILTIN\Administrators:F[I]
C:\FINDnFIX\junkxxx\d3djc.333;Everyone:F[I]



»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

»»Comparing *saved* key with *original*...

REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

No differences found.

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: H x
000011D0: vk R DeviceNotSelectedTimeout 1 5 `
00001210: vk ' i GDIProcessHandleQuota vk
00001250: h Spooler y e s t a vk L
00001290:swapdiskDLLs vk f TransmissionRetryTimeout
000012D0: Vers 9 0 ` vk ' m USERProcessHandl
00001310:eQuotat vk a AppInit_DLLsa r wC
00001350: F   ( wX w 8
00001390:8 w wp w\ w4 w T| T| t w T* w
000013D0: J x w w w [ w
00001410:x w w w x 9 @ x T* w
00001450: x P ^ `[d, l t ) `A , l
00001490: d 3 d j c . 2 2 2 w @ x x x x
000014D0: d wx 9 @ w w w J
00001510: J [ w J ( w 3 w @ h h @ h
00001550:

---------- NEWWIN.TXT
AppInit_DLLsa
--------------
--------------
$011E8: DeviceNotSelectedTimeout
$01230: GDIProcessHandleQuota
$01290: swapdiskDLLs
$012B8: TransmissionRetryTimeout
$01300: USERProcessHandleQuotat
$01330: AppInit_DLLsa
$01808: dCompareExchange
--------------
--------------
d3djc.222
\WINNT\system32\ntdll.dll
rosoft\Windows NT\CurrentVersion\Image File Execution Options\xcacls.exe
mscoree.dll
kernel32.dll
--------------
--------------
d...a 0 Sep 1 10:40 .
d...a 0 Sep 1 10:40 ..
....a 57344 Jul 18 2:33 d3djc.333

3 files found occupying 55296 bytes

-------- C:\FINDNFIX\JUNKXXX\D3DJC.333
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 955,733 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.06

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> A 09-01-:4 10:40|D3DJC 333 57344 A 07-18-:4 02:33
.. <dir> A 09-01-:4 10:40|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: Volume label: Local Disk

...File dump...

junkxxx\d3djc.333
1 file(s) copied.
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
d3djc.333 ACL has 6 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = /Everyone S-1-1-0
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
ACL done...


Finished Detecting...
________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»
Wed 01 Sep 04 10:45:26
-----END-----


#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:40 AM

Posted 01 September 2004 - 10:14 AM

Please now open the the FindNFix folder again. Then double click on the Files2 folder to open that. Double-click on the ZIPZAP.bat file.

It will clean the rest of the infection and make a copy of the bad file in the same folder and name it junkxxx.zip and open your email client with instructions as to what to do.

Simply drag the junkxxx.zip file into your email message so it becomes an attachment. Then copy and paste the link to this topic into the body of the message and send the email. This is done so that the program, FindNFix, will be updated with any new information that may be found in your file so that others can benefit from it. If there are problems with this step, please move on with the next steps.

When you are done, please delete the entire FindNFix folder.

Now download and run CWShredder. You can download the program from the following locations:

CWShredder Download Site #1

or

CWShredder Download Site #2

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CWShredder

When that is completed, please download the latest version of Ad-Aware from the following location:

Ad-aware

Make sure you update the program before you scan with it. A tutorial on using ad-aware can be found below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

When that is completed post a new hijackthis log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users