Jump to content


Photo

About:blank


  • Please log in to reply
1 reply to this topic

#1 deedz32

deedz32

    Member

  • New Member
  • Pip
  • 1 posts

Posted 25 June 2004 - 10:08 AM

I ran FINDnFIX. Here's my log.


Microsoft Windows XP [Version 5.1.2600]
The type of the file system is FAT32.
C: is not dirty.

Fri 06/25/2004
10:59am up 0 days, 0:47
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\SQLNBIE.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLNBIE.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
SQLNBIE.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINDOWS\SYSTEM32\
sqlnbie.dll Wed Jun 23 2004 12:58:42p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\SQLNBIE.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group DEFAULT-7R3WMM0\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone



»»»»»»Backups created...»»»»»»
11:00am up 0 days, 0:47
Fri 06/25/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-25-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-25-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs4
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota0
AppInit
DLLs4

**File C:\FINDnFIX\WIN.TXT
Ń_åą’’’vk € 5swapdisk h ° š X Š’’’vk ą . TransmissionRetryTimeoutŠ’’’vk € ' l USERProcessHandleQuota0 ą’’’h ° š X ˆ Ų Ų’’’vk
@ 9 AppInit_DLLs4 5 ø’’’C : \ W I N D O W S \ S y s t e m 3 2 \ s q l n b i e . d l l C ø

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 27 June 2004 - 09:56 PM

Well that's a pretty good start - I hope! The FINDnFIX procedure is for a particular variant of CWS about:blank - and without your HijackThis log, I can't be sure if that's the one you have or not. But, it does look like it is.

So, I'll depend on you to verify it - if the R1 and/or R0 entries in your HjackThis log contain this in them:

LOCALS~1\Temp\sp.html

then you can proceed with the following instructions. If that's not there, then skip what's here and post your HijackThis log for review.

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:
  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:

    move %WinDir%\System32\SQLNBIE.DLL %SystemDrive%\junkxxx\SQLNBIE.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button