• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
tbone513

CWS.SearchX Variant Zombie

15 posts in this topic

I've tried as much as I could on my own and it won't go away. My HJT log is below, but the weird thing is that it looks like it may have effected notepad.exe as the date on the executable as changed to around the date/time I got infected.

 

BTW, I've tried the usual stuff (shredder, adaware, s&d, etc.) - nothing will permanently remove this bastard...

 

Logfile of HijackThis v1.97.7

Scan saved at 11:52:48 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\BacsTray.exe

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\mdm.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\msdtc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whatifsports.com/locke/default.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway

O1 - Hosts: 172.16.151.139 wisdata

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {CF853E03-5F6C-496A-84C2-A892A1ED465A} - C:\WINDOWS\System32\nemkca.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8037.4051967593

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rackspace.webex.com/client/latest/webex/ieatgpc.cab

 

Any help or advice would be greatly appreciated!

Share this post


Link to post
Share on other sites

I have the same problem: CWSSearchX just won't go away. I checked Windows' event viewer and found out I had quite some browser events. Their info is as follows:

 

Event Type: Information

Event Source: BROWSER

Event Category: None

Event ID: 8033

Date: 28-6-2004

Time: 12:36:29

User: N/A

Computer: PIII-500

Description:

The browser has forced an election on network \Device\NetBT_Tcpip_{33A926D4-3518-4F5E-B1E5-4D4E4A0909D7} because a master browser was stopped.

 

I suspect it's related to CWS. Can anyone decipher this?

Edited by Bleij

Share this post


Link to post
Share on other sites

I'm seeing the same thing - not sure what it is but it doesn't have anything to do with CWS - it's been in my log files for months.

Share this post


Link to post
Share on other sites

Update on this variant - if I go to hotmail or msn.com, it reappears. I've confirmed by running the latest cwsshredder and the random dll in the system32 directory will be removed. As soon as I type in hotmail.com or msn.com into the address bar, I get reinfected and the random dll will reappear in my system32 directory.

 

Anybody have any ideas?!?

Share this post


Link to post
Share on other sites

First, to repair any notepad issues, find both copies in Windows and system32 folder, check the properties and replace the corrupted/hijacked with good copy from the dllcache folder.

 

What is the 'dllcache' folder and how to find it

 

When done-

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

Share this post


Link to post
Share on other sites

Thanks for the help! Notepad.exe was set to the same date/time of infection in all 3 areas (c:\windows, c:\i386, and c:\windows\system32\dllcache) so I don't have a clean copy. I'll find one on another machine.

 

Here's the log file though:

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Wed 06/30/2004

10:22am up 0 days, 0:08

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\HLPM.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLPM.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

HLPM.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

hlpm.dll Sun Jun 20 2004 5:07:44p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\HLPM.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group INCIGNA\Domain Users.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group INCIGNA\Developers.

User is a member of group INCIGNA\Domain Admins.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x INCIGNA\tkamil

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: INCIGNA\tkamil

 

Primary Group: INCIGNA\Domain Users

 

 

 

»»»»»»Backups created...»»»»»»

10:24am up 0 days, 0:10

Wed 06/30/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-30-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-30-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota3

 

**File C:\FINDnFIX\WIN.TXT

Øÿÿÿvk : Ø fùAppInit_DLLsÖ?æGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ h l p m . d l l ÿÿ ° Ðÿÿÿvk P ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 ( ðÿÿÿ9 0 ë=tÀÐÿÿÿvk €' zGDIProcessHandleQuota"þàÿÿÿvk À °ºSpooler2ðÿÿÿy e s

Share this post


Link to post
Share on other sites

Well done!

 

*Get ready to restart your computer:

- Open the FINDnFIX\Keys1\ Subfolder

-DoubleClick on the "FIX.bat" file.

-You'll be prompted to restart.

-Wait for the popup -Alert to restart your computer in 15 seconds.

-------------------------------------------------------------------------------

On restart, navigate to System32 folder:

-Locate and select the "HLPM.DLL" file (as it will be visible)

-Use the folder's top menu>edit>

move to folder...

-Select the C:\junkxxx as destination and move

the "HLPM.DLL" there.

--------------------------------------------------------------

When done,

-Go back to the main FINDnFIX folder:

-Run the "RESTORE.bat" file.

-It'll run and produce new log (log1.txt)

-Post it into your reply!

-----------------------------------------------------------------------

In addition,

could you locate all 3 *fake copies of your

notepad files, Zip them up and submit by clicking on the "Submit" tab

in my signature!

Share this post


Link to post
Share on other sites

Thanks free, I also moved a new dll (the random one created in system32) into junkxxx, hope that was ok. Here's the log:

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Wed 06/30/2004

2:12pm up 0 days, 0:04

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

* result\\?\C:\junkxxx\HLPM.DLL

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

C:\JUNKXXX\

hlpm.dll Sun Jun 20 2004 5:07:44p A...R 57,344 56.00 K

mnkaca.dll Wed Jun 30 2004 10:15:54a A.... 30,720 30.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 88,064 bytes 86.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\HLPM.DLL

Sniffed -> C:\JUNKXXX\MNKACA.DLL

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\HLPM.DLL

Searching ==>C:\JUNKXXX\MNKACA.DLL

Run Time(sec) 0

**File C:\JUNKXXX\HLPM.DLL

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

**File C:\JUNKXXX\MNKACA.DLL

 

rem replace this text with your given command...

 

c:\junkxxx\hlpm.dll

-ra-- W32i - - - - 57,344 06-20-2004 hlpm.dll

c:\junkxxx\mnkaca.dll

--a-- W32i - - - - 30,720 06-30-2004 mnkaca.dll

A R C:\junkxxx\hlpm.dll

A C:\junkxxx\mnkaca.dll

File: <C:\junkxxx\hlpm.dll>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

File: <C:\junkxxx\mnkaca.dll>

 

CRC-32 : 00000000

 

MD5 : 85558AE5 DCF0FEA8 50761D1D BDF178F3

 

 

 

 

»»Permissions:

C:\junkxxx\hlpm.dll Everyone:(special access:)

 

SYNCHRONIZE

FILE_EXECUTE

 

BUILTIN\Administrators:F

 

C:\junkxxx\mnkaca.dll BUILTIN\Users:R

BUILTIN\Power Users:C

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

INCIGNA\tkamil:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x INCIGNA\tkamil

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: INCIGNA\tkamil

 

Primary Group: INCIGNA\Domain Users

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

File "C:\junkxxx\hlpm.dll"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: INCIGNA\tkamil

 

Primary Group: INCIGNA\Domain Users

 

File "C:\junkxxx\mnkaca.dll"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000010 t--- 001301BF ---- DS-- rw+x BUILTIN\Power Users

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x INCIGNA\tkamil

 

Owner: INCIGNA\tkamil

 

Primary Group: INCIGNA\Domain Users

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsˆ

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk °

**File C:\FINDnFIX\NEWWIN.TXT

00001338: 01 00 00 00 01 00 45 00 . 5F 44 4C 4C 73 10 88 00 ......E. _DLLs.ˆ.

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk ° ø 8 h Ðÿÿÿvk ( . TransmissionRetryTimeoutÐÿÿÿvk €' b USERProcessHandleQuota3 àÿÿÿ° ø 8 h Ð Øÿÿÿvk € E AppInit_DLLsˆ ¸

Share this post


Link to post
Share on other sites

Well done! :D (good results )

 

-Last step(s):

 

 

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip) and open your email client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

When done, restart your computer and

Delete and entire 'FINDnFIX' file+folder(s)

From C:\, and be sure the C:\junkxxx folder

was deleted (as part of the cleanup process)

 

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular,

Latest CWShredder.exe and fully updated Ad-Aware!

 

Feel free to post follow up hijackthis log when done! :cool:

Share this post


Link to post
Share on other sites

Re: notpads files.

They are actually fine!

All all originall by M$ and just the fact that the date is different makes no difference, it could be that WFP (Windows file protection)

replaced the bad copies.

 

I'm using them now on

my Win2K and actually like the icon better, thanks for the treat! :weee:

Share this post


Link to post
Share on other sites

Free, I believe you have finally killed it. Thanks so much! Here's the (hopefully) final HJT log:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:51:51 AM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\BacsTray.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\mdm.exe

C:\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatifsports.com/locker/default.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whatifsports.com/locker/default.asp

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway

O1 - Hosts: 172.16.151.139 wisdata

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8037.4051967593

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rackspace.webex.com/client/latest/webex/ieatgpc.cab

Share this post


Link to post
Share on other sites

All's well!

Just snip these in hijackthis:

 

O1 - *Hosts: 172.16.151.139 wisdata(*Unless was set by you for some reason...)

-O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

-O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

-O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

 

Stay out of trouble ;)

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0