Jump to content


Photo

about:blank / spyware pop-ups


  • This topic is locked This topic is locked
16 replies to this topic

#1 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 28 June 2004 - 10:18 PM

When I open IE I get an address "about:blank" and then a bunch of pop-ups trying to sell spyware detection software. I have run NoAdware and Spybot to no effect. NoAdware does not even detect a problem and Spybot detects 5 problems with DSO Exploit that it fixes but the problem returns immediately. I have run HijackThis and I have a log to post if someone can give me the instructions on which lines to remove.

Help is appreciated

HijackThis Log Follows:

Logfile of HijackThis v1.97.7
Scan saved at 11:09:22 PM, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\RDS1\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31082305-8F58-498D-BF54-96EDFEE21863} - C:\WINDOWS\System32\gfa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab

Edited by plumber1, 28 June 2004 - 10:29 PM.


#2 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 05:59 PM

This "about:blank" problem is really becoming a nuisance. I run Windows XP Pro and I really need someone to help me through what is required to clean this machine. I have been reading other posts about this issue and there seems to be many variations of the problem. Help!

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 06:34 PM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....


P.S:

*1.)
I have run NoAdware ........to no effect.
NoAdware does not even detect a problem ...........
.....................
Logfile of HijackThis v1.97.7

*2.)
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\
spykiller.exe /startup


Get rid of both imposters first, listed in...
->>*Bogus Spyware Removal Tools that will do you more *harm than good<<-
Post the indicated log! :D

Edited by freeatlast, 29 June 2004 - 06:38 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 09:24 PM

I appreciate the advice. Not sure if this is what you wanted to see as the computer could not find "notepad.exe" and so I printed the file to word. Let me know if I need to do something else to get the info you need.


*** freeatlast100.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

29/06/2004
10:07pm up 0 days, 0:22

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\SQL.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT
SQL.DLL Can't Open!

(*3*) ........

C:\WINDOWS\SYSTEM32\
sql.dll Fri Jun 18 2004 10:38:46p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\SQL.DLL
*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group RDS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x RDS\RDS1
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: RDS\RDS1

Primary Group: RDS\None



Backups created...
10:08pm up 0 days, 0:22
29/06/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-29-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-29-2004 winkey.reg

Performing 16bit string scan....

---------- WIN.TXT
fAppInit_DLLs?GC
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuotai

**File C:\FINDnFIX\WIN.TXT
vk
8 fAppInit_DLLs?GC : \ W I N D O W S \ S y s t e m 3 2 \ s q l . d l l vk P UDeviceNotSelectedTimeout1 5 @ 9 0 ?| vk ' zGDIProcessHandleQuota" vk Spooler2y e s n p vk =pswapdiskvk ` RTransmissionRetryTimeout p X vk ' i USERProcessHandleQuotai x

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 11:36 PM

As for notepad issue, it's known and caused by the trojan.
You need to locate both copies of notepad.exe in Windows folder and System32
folder and replace them with good copy from the dllcache folder, whichever copy is corrupted/hijacked.
You should RightClick both copies and check the properties.

When done, proceed with these steps:
----------------------------------------------------
*Get ready to restart your computer:
- Open the C:\FINDnFIX\Keys1\ Subfolder
-DoubleClick on the "FIX.bat" file
-You will be prompted by popup Alert to restart in 15 seconds.
-Allow it to restart the computer!
-------------------------------------------------------------------------
On restart, navigate to System32 folder:
-Locate and select this file:
-SQL.DLL
(As it will be visible)
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move
"SQL.DLL" to the C:\junkxxx folder
-----------------------------------------------------------------------
Go back to C:\FINDnFIX\ main folder and
DoubleClick on the "RESTORE.bat" .file
It'll run and produce new log (log1.txt)
Post it!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 June 2004 - 07:34 AM

Again I appreciate the advice and forgive me for maybe being a bit slow on this. I located two files named "notepad.exe.bak"; one in system 32 folder and one in Windows. I assume these are the two files you suggested I find. Both were created Jun 18/04 which is about the time that this virus started but I cannot locate the file dll.cache to get the replacement. Any suggestions on where to look for this file or could it be under a different name? Thanks once again.

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 09:11 AM

Dllcache is not a file.
It's a folder holding your backups,
Located in System32\dllcache

What is the 'dllcache' folder and how to find it

It's hidden, so make sure all protected/hidden files are visible!
( in folder options)
Find the-
\dllcache\notepad.exe file,
***EDIT:***
--------------------------------------------------------------
According to recent reports the copy in the dllcache
is hijacked as well.
Get a new copy for your OS here:
http://www.spywarein...n/winfiles.html
Put one in Windows, one in System32 folder
and one in \System32\dllcache folder.
---------------------------------------------------------------


And this is very interesting... :scratchhead:

. Both were created Jun 18/04 which is about the
time that this virus started

C:\WINDOWS\SYSTEM32\
sql.dll Fri Jun 18 2004 10:38:46p A...R 57,344 56.00 K


Before deleting the fake* files, could you zip them
both up and mail by hitting the 'submit files' tab
in my signature! Thanks.

Edited by freeatlast, 30 June 2004 - 12:08 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 July 2004 - 02:40 PM

It took a while to find the dllcache folder but have it now and interesting the notepad file in there was modified on Jun 18/04; same date as the other notepad.exe files in Windows and System 32 folders. I tried to follow the link to get a new notepad.exe file from your last post but IE is telling me the page cannot be found. Is there another source to obtain an uncorrupted notepad.exe file? Perhaps my Windows XP install disk?

Thanks for your patience
Plumber1

#9 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 July 2004 - 03:28 PM

Still searching for a clean notepad.exe file as the refewrred site is either down or not available. Any suggetsions would be appreciated.

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 03:49 PM

As long as you have the file there it may keep infecting your notepad anyway.
Incidentally, last 3 users had their notepads date changed and based on set of notepad that was mailed to me, which Im using right now, there is nothing wrong with it except the date change.
Overwrite your copies in system32 and windows with notepad from dllcache folder, just so you'd be able to use it.
when you'ere all cleanep up we can get you a fresh notepad copy from non infected box.

Continue and follow the steps posted here:
http://www.spywarein...t=0
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 03 July 2004 - 09:32 AM

I replaced notepad files from dllcache and then ran the FIX.bat file; moved the sql.dll file to junkxxx and subsequently ran the RESTORE.bat file and produced the following log. Please let me know if you need anything else to resolve this for me. Thank you for your help.


*** freeatlast100.100free.com ***

03/07/2004
10:24am up 0 days, 0:03

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

***LOG1!***
Scanning for file(s)...

(1)
* result\\?\C:\junkxxx\SQL.222

(2)
**File C:\FINDnFIX\LIST.TXT

(3)

No matches found.

No matches found.

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


* Scanning for moved file... *

C:\JUNKXXX\
sql.222 Fri Jun 18 2004 10:38:46p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

**File C:\JUNKXXX\SQL.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......
**File C:\FINDnFIX\LIST.TXT

rem replace this entire line with your given command...




--a-- W32i - - - - 57,344 06-18-2004 sql.222
A C:\junkxxx\sql.222
File: <C:\junkxxx\sql.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




Permissions:
C:\junkxxx\sql.222 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
RDS\RDS1:F
BUILTIN\Users:R

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x RDS\RDS1
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: RDS\RDS1

Primary Group: RDS\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\sql.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x RDS\RDS1
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: RDS\RDS1

Primary Group: RDS\None


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
fAppInit_DLLs?GC

---------- NEWWIN.TXT
AppInit_DLLs
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 7B 00 . 5F 44 4C 4C 73 FF FF FF ......{. _DLLs
**File C:\FINDnFIX\NEWWIN.TXT
        Bwvk     UDeviceNotSelectedTimeout1 5  @   vk  '   zGDIProcessHandleQuota"9 0  ?| vk  X   Spooler2y e s n vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   i USERProcessHandleQuotai   8 h    vk    { AppInit_DLLs GwqwNww҉wWwdw^<w w:>wNwwTwowhwv|w^|w|w$w1wwHwwww\iw6w,Uw4ww2wwpEwwwhwww(wwww'wHwfw^wМwؿwWw6wwww*w~w"wwwwhwww8wwfwwwwWwXwxwXw RwWw6wWwww"w^w`wwwؼwhwwwwwwwwwwhwxwwhwjwKw`ww)w8w)wwwwwew2wwwrwzwjwwxww!wt&wP%wcw`wwJwwwwwpwwTww@LwK2w$w)ww8wHw>wwZwwwE]wfwnwiw&gw8www4ww/ww

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 July 2004 - 10:07 AM

Great progress! :thumbsup:

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete and entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 03 July 2004 - 01:12 PM

All steps completed and it appears that the virus is gone now. Home page on browser is acting normally. A couple of questions: When I went to run CWShredder I was going to update it but warnings from the update message seem to indicate that updates may be corrupt. Is this the case?
Also should I now update the notepad issue or forget it? The Hijackthis log follows. Please let me know if you find anything.

Thank you very much for your help in this matter; this is really a terrific site. Congratulations to all who run it.
Plumber1

Hijackthis Log

Logfile of HijackThis v1.97.7
Scan saved at 2:00:10 PM, on 03/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\RDS1\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 July 2004 - 05:51 PM

On the bottom of my 'FINDnFIX' link you will find notepad_xp ;)

Snip this in hijackthis:

*R1 - HKCU\Software\Microsoft\
Internet Explorer\Main,HomeOldSP = about:blank

Get rid of SpyKiller:
Details...
Bogus Spyware Removal Tools that will do you more harm than good... :scratchhead:

Other than that, well done! :thumbsup:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 plumber1

plumber1

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 05 July 2004 - 06:38 PM

Fabulous! All is working and cleaned up. New notepad files installed and the specified line removed by HijackThis. I am a happy boy! :D

One small question; you kept referring to SpyKiller and to get rid of it. To my knowledge it is not on my machine. I have spybot - search and destroy which I thought was recommended software by this site. Has it been hijacked? Do I have SpyKiller somewhere on this machine and cannot find it?

Again thank you for the help!

#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 July 2004 - 09:02 PM

Do I have SpyKiller somewhere on this machine and cannot find it? 


Hijackthis Log

Logfile of HijackThis v1.97.7
Scan saved at 2:00:10 PM, on 03/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup


Stay out of trouble ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 09 July 2004 - 02:34 PM

Glad we could help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button