Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
19 replies to this topic

#1 Quasar_Najack

Quasar_Najack

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 08:51 AM

:thumbsup:

Logfile of HijackThis v1.97.7
Scan saved at 21:23:06, on 25/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Arquivos de programas\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
D:\Downloads\aplicativos\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Arquivos de programas\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARQUIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8105.6940740741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

Thanks in advance. :flowers:
[]'s

Quasar_Najack

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 10:19 AM

Put a checkmark next to the following in HijackThis. Make sure all other windows and browsers are closed before clicking on “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

***********************************************************************

What other problems are you having??? :thumbsup:

#3 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 10:58 AM

Thank you for the prompt answer.
Ok, I did remove those lines, but after reboot I got this new log from HT:
Logfile of HijackThis v1.97.7
Scan saved at 12:57:15, on 26/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Arquivos de programas\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
D:\Downloads\aplicativos\crap_blasters\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {990E8429-B38C-4112-A1C9-415CA508C1F2} - C:\WINDOWS\System32\ebnm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Arquivos de programas\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARQUIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8105.6940740741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B5E4D13-062A-4E52-A8DC-C39358CFC4E6}: NameServer = 200.175.182.139 200.175.5.139

Looks like the thing is growing... :/
[]'s

Quasar_Najack

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 11:38 AM

There we go. All the symptoms are there now, so now we can fix it. Otherwise it would have just come back. ;)

----------------------------------------

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Put a checkmark next to the following in HijackThis. Make sure all other windows and browsers are closed before clicking on “Fix Checked”

1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {990E8429-B38C-4112-A1C9-415CA508C1F2} - C:\WINDOWS\System32\ebnm.dll


Run APM. In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log:
(O2 - BHO: (no name) - {990E8429-B38C-4112-A1C9-415CA508C1F2} - C:\WINDOWS\System32\ebnm.dll)

Select Unload DLL and click OK on the prompts that follow. Reboot and scan with AdAware to remove the txt and html protocol association. :D

#5 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 12:21 PM

Ok, thanks, will do. BTW, before it, nothing strange about the O17 line?
[]'s

Quasar_Najack

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 12:27 PM

The 017 line usually has to do with your IP, and is fine. Hijacked 017 entries look different.

#7 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 12:48 PM

Roger on O17 line.
Ok, just did what you told me to do, but I couldn't find the ebnm.dll BHO in the lower window of the APM. It simply was not there.
After reboot the AdAware found some CWS objects but did clean it. Spybot found nothing suspicious.
But... here is the new HT log:
Logfile of HijackThis v1.97.7
Scan saved at 14:44:18, on 26/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Arquivos de programas\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
D:\Downloads\aplicativos\crap_blasters\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALESSA~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D8639F3-BF1E-4DDF-BA52-27740FE4C082} - d:\downloads\aplicativos\crap_blasters\backup-20040626-142345-415.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ThrustTSR] C:\Arquivos de programas\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARQUIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8105.6940740741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B5E4D13-062A-4E52-A8DC-C39358CFC4E6}: NameServer = 200.175.182.139 200.175.5.139

I think we'll still have one or two beer to drink until we got this hijack fixed, don't you? :thumbsup:
Again, thank you for your time.
[]'s

Quasar_Najack

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 01:11 PM

I think we'll still have one or two beer to drink until we got this hijack fixed, don't you?


I'll second that!!

In reference to your infection, I am beginning to think there is a mutation of this going around, because the standard fix no longer seems to be working. :thumbsup:

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FindnFix.exe and it will install a folder called FindnFix on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.


This tool is new to me (but used quite successfully by others, so it may take me a couple stabs to read the log it creates properly) That's all it does, btw, is gather information.

#9 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 01:47 PM

I am almost sure it is something "new" because I am not the usual target of such trojans and virus. Actually this is the very first time I have a problem like this (even though I bet you guys hear this one every time... :thumbsup: ) and I am online since '94! :flowers:
Ok, here is the log.txt (nothing much interesting, IMHO):

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [versĆo 5.1.2600]
O tipo do sistema de arquivos ‚ NTFS.
C: nĆo est sujo.

s b 26/06/2004
3:23pm up 0 days, 0:55
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\D3DBAI.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DBAI.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
D3DBAI.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINDOWS\SYSTEM32\
d3dbai.dll Fri 25 Jun 2004 8:41:30 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\D3DBAI.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Usu rios
(ID-IO) ALLOW Read BUILTIN\Usu rios
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access AUTORIDADE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORIDADE NT\SYSTEM
(ID-IO) ALLOW Full access PROPRIETµRIO CRIADOR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Usu rios
Full access BUILTIN\Administradores
Full access AUTORIDADE NT\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group MOURE-CKLRPBWE8\Nenhum.
User is a member of group \Todos.
User is a member of group BUILTIN\Administradores.
User is a member of group BUILTIN\Usuários.
User is a member of group \LOCAL.
User is a member of group AUTORIDADE NT\INTERATIVO.
User is a member of group AUTORIDADE NT\Usuários autenticados.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administradores
Allow 00000003 tco- 001F01FF ---- DSPO rw+x AUTORIDADE NT\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x MOURE-CKLRPBWE8\Alessandro Moure
Allow 0000000B -co- 10000000 ---A ---- ---- \PROPRIETÁRIO CRIADOR
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Usuários
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Usuários
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Usuários

Owner: MOURE-CKLRPBWE8\Alessandro Moure

Primary Group: MOURE-CKLRPBWE8\Nenhum



»»»»»»Backups created...»»»»»»
3:24pm up 0 days, 0:56
s b 26/06/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-26-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-26-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
fůAppInit_DLLsÖŤćG¸˙˙˙C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows1
AppInit
UDeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
MUSERProcessHandleQuota

**File C:\FINDnFIX\WIN.TXT
regf       Pugf
 :b

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 02:07 PM

First thing I would like you to do is create a new restore point.

Open the FindnFix folder and then open the keys1 folder. Right-click on the MOVEit.bat file and select 'edit'. That will open the file as an empty text file - copy and paste this line into the blank file:

move %WinDir%\System32\D3DBAI.DLL %SystemDrive%\junkxxx\D3DBAI.DLL

Save the file and close. The next step will cause a restart. Still in the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open the FindnFix folder again and double-click on RESTORE.bat. When it is finished, in FindnFix folder, there will be a file called Log1.txt - post it's contents in your next reply.



#11 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 03:25 PM

The restore system is inactive right now (I don't "thrust" the restore system). Do I really need a restore point or is it just a safety measure?
Anyway, something interesting here: I open the "My computer" and navigate to FindnFix Folder. Double click on the keys1 folder. I right click on the MOVEit.bat and after clicking "Edit" Windows returns me this message box, with an OK button on it (A free translation from portuguese to english):

Windows can not find 'C:\FINDnFIX\Keys1\MOVEit.bat'. Make it sure the name was typed correctly and try again. To search for a file, click on button 'Start' then 'Search'

Well, I can edit the MOVEit.bat file using a DOS command. Do you want me to do it or does this new information is important?
[]'s

Quasar_Najack

ps: This is getting interesting. :thumbsup:

Edited by Quasar_Najack, 26 June 2004 - 03:27 PM.


#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 03:54 PM

Interesting is an understatement...let me chase down the person I was following and see what he has to say about it... :flowers:

EDIT: The restore point was just a precaution. Like I said, this is a first using this tool, and I wanted to cover my butt.

Go ahead and try editing it in Dos if you wish. See if you can make it work (hence the restore point) All we are trying to do is get it to kill the .dll I have listed.

EDIT EDIT: Hmm, it worked flawlessly for me. :thumbsup:

Edited by groovicus, 26 June 2004 - 04:29 PM.


#13 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 05:29 PM

Ok, I will do it editing the file in DOS mode.
I was asking about the "Edit" function in left click because I thought that it maybe would have something to do with the problem.
I will get back to you as soon as I have the log file you asked me.
[]'s

Quasar_Najack

#14 Quasar_Najack

Quasar_Najack
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 June 2004 - 05:36 PM

Ok, here is the content of log1.txt:
»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

s b 26/06/2004
7:32pm up 0 days, 0:00

Microsoft Windows XP [versĆo 5.1.2600]
O tipo do sistema de arquivos ‚ NTFS.
C: nĆo est sujo.

*Locked files...


[]'s

Quasar_Najack

#15 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:07 PM

Posted 26 June 2004 - 05:43 PM

Ok, at the risk of sounding repetative, rerun the first step, and post that log here.


Double-click on the FindnFix.exe and it will install a folder called FindnFix on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users