Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked JimmyJ


  • This topic is locked This topic is locked
20 replies to this topic

#1 JimmyJ

JimmyJ

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 27 September 2004 - 04:09 PM

Hi

Would really appreciate some assistance in elimnating nusciance spyware. Basically, my IE browser is hijacked to a search page at start up and periodically during navigation. User name and password also changed. Tried SpyBot, AVG and AdAware but problem still there.

I have followed FAQ instructions unziping HiJackthis to its own file on C drive and revealed hidden files. Any assistance would be much appreciated.

Reagrds

Jimmy

Logfile of HijackThis v1.98.2
Scan saved at 21:59:48, on 27/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\SCVHOST.EXE
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IENavigator Special Edition\IENavigator.exe
C:\DOCUME~1\Jimmy\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DF9C596-A98E-4726-9B78-C2512E03900C} - C:\WINDOWS\System32\jgdacd.dll
O2 - BHO: IENavigatorBHO Class - {F11241DB-B253-4B6D-8BB0-200A58766789} - C:\Program Files\IENavigator Special Edition\NavIEPlugins.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: IENavigator Bar - {3DA53F1F-15EC-42B4-90D8-35E1B1C49FE7} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O3 - Toolbar: IENavigator Links Bar - {1929B8F7-04AC-476B-9554-DA0608BF0980} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c38 -w
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IENavigator] C:\Program Files\IENavigator Special Edition\IENavigator.exe /MIN
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/31269/online.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O18 - Filter: text/html - {BF060EE4-0243-48A3-86B6-760EB59C90C5} - C:\WINDOWS\System32\jgdacd.dll
O18 - Filter: text/plain - {BF060EE4-0243-48A3-86B6-760EB59C90C5} - C:\WINDOWS\System32\jgdacd.dll

BC AdBot (Login to Remove)

 


#2 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 27 September 2004 - 04:34 PM

Sorry newbie error in installing Hijacthis to appropriate file :thumbsup: Corrected version below:

Logfile of HijackThis v1.98.2
Scan saved at 22:30:54, on 27/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\SCVHOST.EXE
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IENavigator Special Edition\IENavigator.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DF9C596-A98E-4726-9B78-C2512E03900C} - C:\WINDOWS\System32\jgdacd.dll
O2 - BHO: IENavigatorBHO Class - {F11241DB-B253-4B6D-8BB0-200A58766789} - C:\Program Files\IENavigator Special Edition\NavIEPlugins.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: IENavigator Bar - {3DA53F1F-15EC-42B4-90D8-35E1B1C49FE7} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O3 - Toolbar: IENavigator Links Bar - {1929B8F7-04AC-476B-9554-DA0608BF0980} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c38 -w
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IENavigator] C:\Program Files\IENavigator Special Edition\IENavigator.exe /MIN
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/31269/online.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O18 - Filter: text/html - {BF060EE4-0243-48A3-86B6-760EB59C90C5} - C:\WINDOWS\System32\jgdacd.dll
O18 - Filter: text/plain - {BF060EE4-0243-48A3-86B6-760EB59C90C5} - C:\WINDOWS\System32\jgdacd.dll

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 28 September 2004 - 01:56 PM

Please do the following:

Download the program FindNFix from the following location:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#4 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 28 September 2004 - 06:26 PM

Hey Grinler

Good to have your help :thumbsup:

FNF Log as follows:


Wed 29 Sep 04 00:16:43

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated *9/1*)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

*System:
Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)
*IE version:
6.0.2900.2180 SP2

The type of the file system is NTFS.


MS-DOS Version 5.00.500

*command.com test passed!

__________________________________
!!*Creating backups...!!

The operation completed successfully
0:16:42.77 29/09/2004
__________________________________

*Local time:
29 September 2004 (29/09/2004)
00:16, GMT Standard Time
*Uptime:
00:16:44 up 0 days, 0:27:29

*Path:
C:\FINDnFIX
----------------------------------------------------
╗╗Member of...: ("ADMIN" logon + group match required!)

User is a member of group IBM-L0W188YGRBL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

User: [IBM-L0W188YGRBL\Jimmy], is a member of:

BUILTIN\Administrators
\Everyone
IBM-L0W188YGRBL\None

Running in WORKSTATION MODE.

SystemDrive is C:
SystemRoot is C:\WINDOWS
Logon Domain is IBM-L0W188YGRBL
Administrator's Name is Jimmy
Computer Name is IBM-L0W188YGRBL
LOGON SERVER is \\IBM-L0W188YGRBL

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________

......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Read access error(s)...


╗╗╗╗╗ (*2*) ╗╗╗╗╗........

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

No matches found.

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...
*List of files and specs according to 'size' :
*Note: Not all files listed here are infected, but *may include* the
name and spces of the offending file...
___________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

222. Dpwsockx Dll 57,344 . . . . A 8-04-04 12:56 am
503. Logjh Dll 57,344 . . . . A 9-23-04 6:22 pm
588. Msasn1 Dll 57,344 . . . . A 8-04-04 12:56 am
194. Dmloader Dll 35,840 . . . . A 8-04-04 12:56 am
342. Imgutil Dll 35,840 . . . . A 8-04-04 12:56 am
1036. Umandlg Dll 35,840 . . . . A 8-04-04 12:56 am
218. Dpvacm Dll 21,504 . . . . A 8-04-04 12:56 am
271. Feclient Dll 21,504 . . . . A 8-04-04 12:56 am

____________________________________________________________________________
*By size and date...


C:\WINDOWS\SYSTEM32\
dpwsockx.dll Wed 4 Aug 2004 0:56:44 A.... 57,344 56.00 K
logjh.dll Thu 23 Sep 2004 18:22:28 A.... 57,344 56.00 K
msasn1.dll Wed 4 Aug 2004 0:56:44 A.... 57,344 56.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 172,032 bytes 168.00 K

C:\WINDOWS\SYSTEM32\
dmloader.dll Wed 4 Aug 2004 0:56:44 A.... 35,840 35.00 K
imgutil.dll Wed 4 Aug 2004 0:56:44 A.... 35,840 35.00 K
umandlg.dll Wed 4 Aug 2004 0:56:48 A.... 35,840 35.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 107,520 bytes 105.00 K

C:\WINDOWS\SYSTEM32\
dpvacm.dll Wed 4 Aug 2004 0:56:44 A.... 21,504 21.00 K
feclient.dll Wed 4 Aug 2004 0:56:44 A.... 21,504 21.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 43,008 bytes 42.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LOGJH.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
SNiF 1.34 statistics

Matching files : 3 Amount in bytes : 172032
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
SNiF 1.34 statistics

Matching files : 3 Amount in bytes : 107520
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL
SNiF 1.34 statistics

Matching files : 2 Amount in bytes : 43008
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗


BHO search and other files...

**File C:\WINDOWS\SYSTEM32\JGDACD.DLL
000020E8: 25 25 25 30 32 78 00 00 . 00 00 00 00 C0 82 05 B3 %%%02x.. ....└é.│


No matches found.

"C:\WINDOWS\system32\"
jgdacd.dll 24 Sep 2004 31744 "jgdacd.dll"
rtipxmib.dll 4 Aug 2004 31744 "rtipxmib.dll"

2 items found: 2 files, 0 directories.
Total of file sizes: 63,488 bytes 62.00 K

*sp.html found in temp folder:
--a-- - - - - - 7,978 09-29-2004 sp.html
File: <C:\DOCUME~1\Jimmy\LOCALS~1\Temp\sp.html>

CRC-32 : 444667F8

MD5 : BAEA99C5 727A06CE C224AE6F C66006B3




*Filter keys search...
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
CLSID = {BF060EE4-0243-48A3-86B6-760EB59C90C5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
CLSID = {BF060EE4-0243-48A3-86B6-760EB59C90C5}

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

╗╗Comparing *saved* key with *original*...

REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

No differences found.

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



╗╗Performing string scan....
00001150: ?
00001190: vk f AppInit_
000011D0:DLLs G vk UDeviceNotSelectedTimeout
00001210: 1 5 9 0 N vk ' zGDIProce
00001250:ssHandleQuota" vk Spooler2 y e s _
00001290: 0 ` vk 5swapdisk vk
000012D0: . TransmissionRetryTimeout 0 `
00001310: vk ' V USERProcessHandleQuotaa
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
f¨AppInit_DLLsÍŹŠG
--------------
--------------
$011C8: AppInit_DLLs
$011F7: UDeviceNotSelectedTimeout
$01247: zGDIProcessHandleQuota
$012E0: TransmissionRetryTimeout
$01330: USERProcessHandleQuotaa
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

.............
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : ""
0000 00 00 | ..
-----------------------

╗╗╗╗╗╗Backups list...╗╗╗╗╗╗
00:20:59 up 0 days, 0:31:43
-----------------------
Wed 29 Sep 04 00:20:59


C:\FINDNFIX\
keyback.hiv Wed 29 Sep 2004 0:16:44 A.... 8,192 8.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 8,192 bytes 8.00 K

C:\FINDNFIX\KEYS1\
winkey.reg Wed 29 Sep 2004 0:16:44 A.... 287 0.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0.28 K

*Temp backups...

"C:\Documents and Settings\Jimmy\Local Settings\Temp\Backs2\"
keyback2.hi_ 29 Sep 2004 8192 "keyback2.hi_"
winkey2.re_ 29 Sep 2004 287 "winkey2.re_"

2 items found: 2 files, 0 directories.
Total of file sizes: 8,479 bytes 8.28 K
-D---- JUNKXXX 00000000 00:16.44 29/09/2004
A----- STARTIT .BAT 00000060 00:16.44 29/09/2004

________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗
-----END------
Wed 29 Sep 04 00:21:00


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 28 September 2004 - 10:33 PM

Now that we know what the offending file is, we can move to the next step.

Please for the period of doing this cleanup, disable your virus scan program.

Then open the FindNFix folder which can be found at c:\findnfix.

Inside that folder will be another folder called keys1. Please double-click on that folder.

When that folder opens you will see a file called Fix.bat. Double-click on that file to start it.

You will get an alert that your computer will reboot in about 15 seconds. Allow the computer to reboot.

When the computer has rebooted and you are at the desktop. Click on the Start menu and select Search. You want to find the file Logjh.Dll.

When the file is found, select the Logjh.Dll file by clicking on it once so it becomes highlighted. Then click on the Edit menu and select the "Move to Folder" option. Scroll down until you see the C: drive and expand, by clicking on the plus sign, that directory, and then expand the FindNFix directory. You should then see under the C:\FindNFix directory a directory called junkxxx. Select that as the final destination and click on the Move button. If you get a warning about the file being read-only, allow it to be moved anyway.

When that is completed, open up the c:\findnfix folder again and double-click on the RESTORE.bat file.

When it is finished, open the c:\findnfix folder again and double click on the Log1.txt file found there. This will open up notepad. Please post all of the contents of the notepad that opens in a reply to this topic.

#6 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 29 September 2004 - 11:39 AM

Followed instructions :thumbsup: Updated Log:

Wed 29 Sep 04 17:24:11

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated *9/1*)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

*System:
Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)
*IE version:
6.0.2900.2180 SP2

The type of the file system is NTFS.

___________________________________________
!!Restoring backups!!

The operation completed successfully

The operation completed successfully
17:24:09.09 29/09/2004
___________________________________________

*Local time:
29 September 2004 (29/09/2004)
17:24, GMT Standard Time
*Uptime:
17:24:13 up 0 days, 0:03:24

*path:
C:\FINDnFIX
Running in WORKSTATION MODE.

SystemDrive is C:
SystemRoot is C:\WINDOWS
Logon Domain is IBM-L0W188YGRBL
Administrator's Name is Jimmy
Computer Name is IBM-L0W188YGRBL
LOGON SERVER is \\IBM-L0W188YGRBL
------------------------------------------


This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(5)╗╗╗╗╗

╗╗╗╗╗(6)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size And Date...

*List of files specs according to size:
*Note: Not all files listed here are infected!
____________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

222. Dpwsockx Dll 57,344 . . . . A 8-04-04 12:56 am
586. Msasn1 Dll 57,344 . . . . A 8-04-04 12:56 am
194. Dmloader Dll 35,840 . . . . A 8-04-04 12:56 am
342. Imgutil Dll 35,840 . . . . A 8-04-04 12:56 am
1034. Umandlg Dll 35,840 . . . . A 8-04-04 12:56 am
218. Dpvacm Dll 21,504 . . . . A 8-04-04 12:56 am
271. Feclient Dll 21,504 . . . . A 8-04-04 12:56 am

____________________________________________________________________________

C:\WINDOWS\SYSTEM32\
dpwsockx.dll Wed 4 Aug 2004 0:56:44 A.... 57,344 56.00 K
msasn1.dll Wed 4 Aug 2004 0:56:44 A.... 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 114,688 bytes 112.00 K

C:\WINDOWS\SYSTEM32\
dmloader.dll Wed 4 Aug 2004 0:56:44 A.... 35,840 35.00 K
imgutil.dll Wed 4 Aug 2004 0:56:44 A.... 35,840 35.00 K
umandlg.dll Wed 4 Aug 2004 0:56:48 A.... 35,840 35.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 107,520 bytes 105.00 K

C:\WINDOWS\SYSTEM32\
dpvacm.dll Wed 4 Aug 2004 0:56:44 A.... 21,504 21.00 K
feclient.dll Wed 4 Aug 2004 0:56:44 A.... 21,504 21.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 43,008 bytes 42.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
SNiF 1.34 statistics

Matching files : 2 Amount in bytes : 114688
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
SNiF 1.34 statistics

Matching files : 3 Amount in bytes : 107520
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL
SNiF 1.34 statistics

Matching files : 2 Amount in bytes : 43008
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

BHO search and other files...



No matches found.

"C:\WINDOWS\system32\"
rtipxmib.dll 4 Aug 2004 31744 "rtipxmib.dll"

1 item found: 1 file, 0 directories.
Total of file sizes: 31,744 bytes 31.00 K


No matches found.

--*sp.html in temp folder was NOT FOUND!--

*Filter keys search...
REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

--(*text/html Subkey was NOT FOUND!)--

REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

--(*text/plain Subkey was NOT FOUND!)--

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗



C:\FINDNFIX\JUNKXXX\
logjh.333 Thu 23 Sep 2004 18:22:28 A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\LOGJH.333
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\LOGJH.333

A----- LOGJH .333 0000E000 18:22.28 23/09/2004

Analyzer v1.36 by Boogie Copyright © 1997 ESP Team
Files: C:\FINDNFIX\JUNKXXX\*.*
─
LOGJH.333 Binary file
─


Volume: None * DDIR * 5:28 pm | Wed, 9-29-04
Ser #: 3889-4D9E DOS Ver. 5.00 0% Used space
Path: C:\FINDNFIX\JUNKXXX All files selected

1. Logjh 333 57,344 . . . . A 9-23-04 6:22 pm

No. of files: 1 | List size: 57,344
Disk size: 976.5 M | Actual spc: 65,024
Bytes free: 976.5 M | Wasted space: 7,680

--a-- - - - - - 57,344 09-23-2004 logjh.333
A C:\FINDnFIX\junkxxx\logjh.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
LOGJH.333 57344 09-23-104 18:22 09a22b1bcd9725df5b3591ebbd2cebd6

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
LOGJH.333 : crc16=0000 crc32=7D5F8289

File: <C:\FINDnFIX\junkxxx\logjh.333>

CRC-32 : 7D5F8289

MD5 : 09A22B1B CD9725DF 5B3591EB BD2CEBD6




#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
╗╗Permissions:
C:\FINDnFIX\junkxxx\logjh.333 Everyone:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F
IBM-L0W188YGRBL\Jimmy:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x IBM-L0W188YGRBL\Jimmy
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: IBM-L0W188YGRBL\Jimmy

Primary Group: IBM-L0W188YGRBL\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x IBM-L0W188YGRBL\Jimmy
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: IBM-L0W188YGRBL\Jimmy

Primary Group: IBM-L0W188YGRBL\None

File "C:\FINDnFIX\junkxxx\logjh.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x IBM-L0W188YGRBL\Jimmy
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: IBM-L0W188YGRBL\Jimmy

Primary Group: IBM-L0W188YGRBL\None

C:\FINDnFIX\junkxxx\logjh.333;Everyone:F
C:\FINDnFIX\junkxxx\logjh.333;NT AUTHORITY\SYSTEM:F
C:\FINDnFIX\junkxxx\logjh.333;BUILTIN\Administrators:F
C:\FINDnFIX\junkxxx\logjh.333;NT AUTHORITY\SYSTEM:F
C:\FINDnFIX\junkxxx\logjh.333;BUILTIN\Administrators:F
C:\FINDnFIX\junkxxx\logjh.333;NT AUTHORITY\SYSTEM:F[I]
C:\FINDnFIX\junkxxx\logjh.333;BUILTIN\Administrators:F[I]
C:\FINDnFIX\junkxxx\logjh.333;IBM-L0W188YGRBL\Jimmy:F[I]
C:\FINDnFIX\junkxxx\logjh.333;BUILTIN\Users:RX[I]



╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

╗╗Comparing *saved* key with *original*...

REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

No differences found.

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 vk ' z
00001210:GDIProcessHandleQuota" 9 0 N vk X
00001250:Spooler2 y e s _ vk 5swapdisk
00001290: 8 h vk ( . TransmissionRetryTimeout
000012D0: vk ' V USERProcessHandleQuotaa 8
00001310:h vk | AppInit_DLLsler2
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLsler2Ş
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuotaa
$01338: AppInit_DLLsler2
--------------
--------------
No strings found.

--------------
--------------
d.... 0 Sep 29 0:16 .
d.... 0 Sep 29 0:16 ..
....a 57344 Sep 23 18:22 logjh.333

3 files found occupying 55296 bytes


===============================================================================
57,344 bytes 5,734,400 cps
Files: 1 Records: 1 Matches: 0 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 09-29-:4 00:16|LOGJH 333 57344 A 09-23-:4 18:22
.. <dir> 09-29-:4 00:16|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...

junkxxx\logjh.333
1 file(s) copied.
56880 00000000 00000000 00000000 00000000 |................| 0de30
56896 00000000 00000000 00000000 00000000 |................| 0de40
56912 00000000 00000000 00000000 00000000 |................| 0de50
56928 00000000 00000000 00000000 00000000 |................| 0de60
56944 00000000 00000000 00000000 00000000 |................| 0de70
56960 00000000 00000000 00000000 00000000 |................| 0de80
56976 00000000 00000000 00000000 00000000 |................| 0de90
56992 00000000 00000000 00000000 00000000 |................| 0dea0
57008 00000000 00000000 00000000 00000000 |................| 0deb0
57024 00000000 00000000 00000000 00000000 |................| 0dec0
57040 00000000 00000000 00000000 00000000 |................| 0ded0
57056 00000000 00000000 |........ | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
logjh.333 ACL has 9 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = IBM-L0W188YGRBL/Jimmy S-1-5-21-1220945662-854245398-1957994488-1004
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 8 is an ACCESS_ALLOWED_ACE_TYPE
ACE 8 mask = 0x001200a9 -R -X
ACL done...


Finished Detecting...
=========================================
57344 C:\FINDnFIX\junkxxx\logjh.333 Jimmy
57344 C:\FINDnFIX\junkxxx (DIR Total)

Owner No. Files Total Size
=========================================
Jimmy 1 57344
________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗
Wed 29 Sep 04 17:28:40
-----END-----


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 29 September 2004 - 12:06 PM

Please now open the the FindNFix folder again. Then double click on the Files2 folder to open that. Double-click on the ZIPZAP.bat file.

It will clean the rest of the infection and make a copy of the bad file in the same folder and name it junkxxx.zip and open your email client with instructions as to what to do.

Simply drag the junkxxx.zip file into your email message so it becomes an attachment. Then copy and paste the link to this topic into the body of the message and send the email. This is done so that the program, FindNFix, will be updated with any new information that may be found in your file so that others can benefit from it. If there are problems with this step, please move on with the next steps.

When you are done, please delete the entire FindNFix folder.

Now download and run CWShredder. You can download the program from the following locations:

CWShredder Download Site

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CWShredder

When that is completed, please download the latest version of Ad-Aware from the following location:

Ad-aware

Make sure you update the program before you scan with it. A tutorial on using ad-aware can be found below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

When that is completed post a new hijackthis log

#8 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 29 September 2004 - 12:50 PM

Are we cured :thumbsup: ?

Logfile of HijackThis v1.98.2
Scan saved at 18:48:45, on 29/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\SCVHOST.EXE
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IENavigator Special Edition\IENavigator.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IENavigatorBHO Class - {F11241DB-B253-4B6D-8BB0-200A58766789} - C:\Program Files\IENavigator Special Edition\NavIEPlugins.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: IENavigator Bar - {3DA53F1F-15EC-42B4-90D8-35E1B1C49FE7} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O3 - Toolbar: IENavigator Links Bar - {1929B8F7-04AC-476B-9554-DA0608BF0980} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c38 -w
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IENavigator] C:\Program Files\IENavigator Special Edition\IENavigator.exe /MIN
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/31269/online.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7EA127-AA23-424C-A95B-190424809113}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A7EA127-AA23-424C-A95B-190424809113}: NameServer = 195.92.195.94 195.92.195.95

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 29 September 2004 - 01:20 PM

Please uninstall IE Navigator.


Then fix these entries with hijackthis:

O2 - BHO: IENavigatorBHO Class - {F11241DB-B253-4B6D-8BB0-200A58766789} - C:\Program Files\IENavigator Special Edition\NavIEPlugins.dll
O3 - Toolbar: IENavigator Bar - {3DA53F1F-15EC-42B4-90D8-35E1B1C49FE7} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O3 - Toolbar: IENavigator Links Bar - {1929B8F7-04AC-476B-9554-DA0608BF0980} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O4 - HKCU\..\Run: [IENavigator] C:\Program Files\IENavigator Special Edition\IENavigator.exe /MIN
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/31269/online.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

Reboot into safe mode and delete:

C:\Program Files\IENavigator Special Edition\

Reboot and post a last log

#10 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 29 September 2004 - 02:37 PM

Hey Grinler

Uninstalled IENavigator via control panel

These did not show up on next run of Hijackthis:

O2 - BHO: IENavigatorBHO Class - {F11241DB-B253-4B6D-8BB0-200A58766789} - C:\Program Files\IENavigator Special Edition\NavIEPlugins.dll
O3 - Toolbar: IENavigator Bar - {3DA53F1F-15EC-42B4-90D8-35E1B1C49FE7} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O3 - Toolbar: IENavigator Links Bar - {1929B8F7-04AC-476B-9554-DA0608BF0980} - C:\PROGRA~1\IENAVI~1\NavIEGUI.dll
O4 - HKCU\..\Run: [IENavigator] C:\Program Files\IENavigator Special Edition\IENavigator.exe /MIN

Deleted
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/31269/online.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

and rebooted to delete: C:\Program Files\IENavigator Special Edition\ as instructed.

Lost pictures on browser! Hijack log below:

Logfile of HijackThis v1.98.2
Scan saved at 20:26:50, on 29/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\SCVHOST.EXE
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c38 -w
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 29 September 2004 - 02:49 PM

When you say you lost pictures on the browser, what do you mean?

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c38 -w
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\IENavigator Special Edition\System\Scripts\off_open_sel.htm
Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\SCVHOST.EXE
C:\WINDOWS\system32\REGCPM32.EXE
C:\WINDOWS\system32\explorer.exe
C:\Program Files\IENavigator Special Edition\

Reboot your computer to go back to normal mode and post a new log.

#12 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 29 September 2004 - 03:08 PM

Hey Grinler

When I mean pictures I'm talking about anything that is not text (jpeg, giff etc.)

Really, really grateful for you continued assistance :thumbsup:

Latest log:

Logfile of HijackThis v1.98.2
Scan saved at 21:06:17, on 29/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7EA127-AA23-424C-A95B-190424809113}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A7EA127-AA23-424C-A95B-190424809113}: NameServer = 195.92.195.94 195.92.195.95

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 29 September 2004 - 03:12 PM

Reboot into safe mode and fix these entries in hijackthis:

O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\system32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\system32\REGCPM32.EXE

Then delete :

C:\WINDOWS\system32\SCVHOST.EXE
C:\WINDOWS\system32\REGCPM32.EXE

Reboot and post a nother log. When this is done we will work on the pictures.

#14 JimmyJ

JimmyJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 29 September 2004 - 03:29 PM

Hey

Latest hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 21:26:31, on 29/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 29 September 2004 - 03:38 PM

Looks good to me...

Can you view images now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users