• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
plumber1

about:blank / spyware pop-ups

17 posts in this topic

When I open IE I get an address "about:blank" and then a bunch of pop-ups trying to sell spyware detection software. I have run NoAdware and Spybot to no effect. NoAdware does not even detect a problem and Spybot detects 5 problems with DSO Exploit that it fixes but the problem returns immediately. I have run HijackThis and I have a log to post if someone can give me the instructions on which lines to remove.

 

Help is appreciated

 

HijackThis Log Follows:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:09:22 PM, on 28/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Documents and Settings\RDS1\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RDS1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {31082305-8F58-498D-BF54-96EDFEE21863} - C:\WINDOWS\System32\gfa.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

Edited by plumber1

Share this post


Link to post
Share on other sites

This "about:blank" problem is really becoming a nuisance. I run Windows XP Pro and I really need someone to help me through what is required to clean this machine. I have been reading other posts about this issue and there seems to be many variations of the problem. Help!

Share this post


Link to post
Share on other sites

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

 

 

P.S:

*1.)

I have run NoAdware ........to no effect.

NoAdware does not even detect a problem ...........

.....................

Logfile of HijackThis v1.97.7

 

*2.)

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\

spykiller.exe /startup

 

Get rid of both imposters first, listed in...

->>*Bogus Spyware Removal Tools that will do you more *harm than good<<-

Post the indicated log! :D

Edited by freeatlast

Share this post


Link to post
Share on other sites

I appreciate the advice. Not sure if this is what you wanted to see as the computer could not find "notepad.exe" and so I printed the file to word. Let me know if I need to do something else to get the info you need.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

29/06/2004

10:07pm up 0 days, 0:22

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\SQL.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQL.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

SQL.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

sql.dll Fri Jun 18 2004 10:38:46p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\SQL.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group RDS\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x RDS\RDS1

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: RDS\RDS1

 

Primary Group: RDS\None

 

 

 

»»»»»»Backups created...»»»»»»

10:08pm up 0 days, 0:22

29/06/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-29-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-29-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuotai

 

**File C:\FINDnFIX\WIN.TXT

Øÿÿÿvk

8 Ø fùAppInit_DLLsÖ?æGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ s q l . d l l ° Ðÿÿÿvk P ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 @ ðÿÿÿ9 0 ?¸| Ðÿÿÿvk € ' zGDIProcessHandleQuota" þàÿÿÿvk À °ºSpooler2ðÿÿÿy e s Èn ° p è àÿÿÿvk € =pswapdiskÐÿÿÿvk ` R¿TransmissionRetryTimeoutàÿÿÿ° p è X Ðÿÿÿvk € ' i USERProcessHandleQuotai x

Share this post


Link to post
Share on other sites

As for notepad issue, it's known and caused by the trojan.

You need to locate both copies of notepad.exe in Windows folder and System32

folder and replace them with good copy from the dllcache folder, whichever copy is corrupted/hijacked.

You should RightClick both copies and check the properties.

 

When done, proceed with these steps:

----------------------------------------------------

*Get ready to restart your computer:

- Open the C:\FINDnFIX\Keys1\ Subfolder

-DoubleClick on the "FIX.bat" file

-You will be prompted by popup Alert to restart in 15 seconds.

-Allow it to restart the computer!

-------------------------------------------------------------------------

On restart, navigate to System32 folder:

-Locate and select this file:

-SQL.DLL

(As it will be visible)

And use the folder's top menu>edit>

move to folder...

Select the C:\junkxxx as destination and move

"SQL.DLL" to the C:\junkxxx folder

-----------------------------------------------------------------------

Go back to C:\FINDnFIX\ main folder and

DoubleClick on the "RESTORE.bat" .file

It'll run and produce new log (log1.txt)

Post it!

Share this post


Link to post
Share on other sites

Again I appreciate the advice and forgive me for maybe being a bit slow on this. I located two files named "notepad.exe.bak"; one in system 32 folder and one in Windows. I assume these are the two files you suggested I find. Both were created Jun 18/04 which is about the time that this virus started but I cannot locate the file dll.cache to get the replacement. Any suggestions on where to look for this file or could it be under a different name? Thanks once again.

Share this post


Link to post
Share on other sites

Dllcache is not a file.

It's a folder holding your backups,

Located in System32\dllcache

 

What is the 'dllcache' folder and how to find it

 

It's hidden, so make sure all protected/hidden files are visible!

( in folder options)

Find the-

\dllcache\notepad.exe file,

***EDIT:***

--------------------------------------------------------------

According to recent reports the copy in the dllcache

is hijacked as well.

Get a new copy for your OS here:

http://www.spywareinfo.com/~merijn/winfiles.html

Put one in Windows, one in System32 folder

and one in \System32\dllcache folder.

---------------------------------------------------------------

 

 

And this is very interesting... :scratchhead:

. Both were created Jun 18/04 which is about the

time that this virus started

 

C:\WINDOWS\SYSTEM32\

sql.dll Fri Jun 18 2004 10:38:46p A...R 57,344 56.00 K

 

Before deleting the fake* files, could you zip them

both up and mail by hitting the 'submit files' tab

in my signature! Thanks.

Edited by freeatlast

Share this post


Link to post
Share on other sites

It took a while to find the dllcache folder but have it now and interesting the notepad file in there was modified on Jun 18/04; same date as the other notepad.exe files in Windows and System 32 folders. I tried to follow the link to get a new notepad.exe file from your last post but IE is telling me the page cannot be found. Is there another source to obtain an uncorrupted notepad.exe file? Perhaps my Windows XP install disk?

 

Thanks for your patience

Plumber1

Share this post


Link to post
Share on other sites

Still searching for a clean notepad.exe file as the refewrred site is either down or not available. Any suggetsions would be appreciated.

Share this post


Link to post
Share on other sites

As long as you have the file there it may keep infecting your notepad anyway.

Incidentally, last 3 users had their notepads date changed and based on set of notepad that was mailed to me, which Im using right now, there is nothing wrong with it except the date change.

Overwrite your copies in system32 and windows with notepad from dllcache folder, just so you'd be able to use it.

when you'ere all cleanep up we can get you a fresh notepad copy from non infected box.

 

Continue and follow the steps posted here:

http://www.spywareinfoforum.com/index.php?sh...t=0entry44398

Share this post


Link to post
Share on other sites

I replaced notepad files from dllcache and then ran the FIX.bat file; moved the sql.dll file to junkxxx and subsequently ran the RESTORE.bat file and produced the following log. Please let me know if you need anything else to resolve this for me. Thank you for your help.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

03/07/2004

10:24am up 0 days, 0:03

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

* result\\?\C:\junkxxx\SQL.222

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

C:\JUNKXXX\

sql.222 Fri Jun 18 2004 10:38:46p A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

**File C:\JUNKXXX\SQL.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

**File C:\FINDnFIX\LIST.TXT

 

rem replace this entire line with your given command...

 

 

 

 

--a-- W32i - - - - 57,344 06-18-2004 sql.222

A C:\junkxxx\sql.222

File: <C:\junkxxx\sql.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\junkxxx\sql.222 BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

RDS\RDS1:F

BUILTIN\Users:R

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x RDS\RDS1

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: RDS\RDS1

 

Primary Group: RDS\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

File "C:\junkxxx\sql.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x RDS\RDS1

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: RDS\RDS1

 

Primary Group: RDS\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsÿÿÿÿ¸

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

00001338: 01 00 00 00 01 00 7B 00 . 5F 44 4C 4C 73 FF FF FF ......{. _DLLsÿÿÿ

**File C:\FINDnFIX\NEWWIN.TXT

BžøwÐÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 @ ° Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ?¸| àÿÿÿvk X °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk € =pswapdisk ° ø 8 h   Ðÿÿÿvk ( R¿TransmissionRetryTimeoutÐÿÿÿvk €' i USERProcessHandleQuotai àÿÿÿ° ø 8 h   Ð Øÿÿÿvk € { AppInit_DLLsÿÿÿÿ¸ GúwŽqõwNöwâöwÒ‰öw´Wùwdöw^<ùw öw:>ùwN”øw‚÷wTÛõwoõwhöwv|÷w^|÷w¬|÷w$ä÷w°1úwˆÂõwH¼õwø¶õw°²öwÈãõw\iøw6ëøw,Uøw4’øw¸Ãõw 2ùwˆ¾õwpEúwˆ¼õwºõwhÃõwÈÀõw˜¹õw(ºõw˜ÀõwˆµõwˆÅõw'öwHÄõw˜fùw^îøwÐœøwØ¿õwÞWøw6¦øw¸¶õw¨¶õwºõw*ù÷w~è÷w"è÷wø½õwè»õwÁõwhµõwñõwˆ·õw8·õwšöwfêøw¨¾õw¸½õw¿õw¾WøwX»õwx½õwXÄõw Rúw¾WøwØ6üw Wøwè´õw´ð÷w"ôøw^øøw`›öwèÁõw¸µõwؼõwh·õw¼õwÀõwè¶õw¸»õwø¿õwØÃõwÅõwè·õw˜·õwh¼õwxÃõw¨µõwh¶õwjë÷wÐKúw`õöw’÷öwÓ)÷w8¼õw)öwòüöwˆ¹õwˆÁõwÄõwàeùw2úwîõwšÚöwðrøwäzøwjwøwx¿õw˜ÅõwÄ!ùwt&ùwP%ùwÌcùwŽ`ùwˆ…øwJ‰øwä‹øw°Œøwº‡øwè»öwpÄöw»öwTéøwš­õw@LúwK2úwÚ$úwá)úw˜»õw8ÄõwHÂõw>õöwÌõöwZýöwœùöwºüöwE]÷wæf÷wún÷wi÷w&g÷w‰8ùwäÏõwÖÍõw4ÇõwÂÇõwÿ/úwêóöw°

Share this post


Link to post
Share on other sites

Great progress! :thumbsup:

 

Last step(s):

 

 

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip) and open your email client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

When done, restart your computer and

Delete and entire 'FINDnFIX' file+folder(s)

From C:\, and be sure the C:\junkxxx folder

was deleted (as part of the cleanup process)

 

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular,

CWShredder.exe and fully updated Ad-Aware!

 

Feel free to post follow up hijackthis log when done! ;)

Share this post


Link to post
Share on other sites

All steps completed and it appears that the virus is gone now. Home page on browser is acting normally. A couple of questions: When I went to run CWShredder I was going to update it but warnings from the update message seem to indicate that updates may be corrupt. Is this the case?

Also should I now update the notepad issue or forget it? The Hijackthis log follows. Please let me know if you find anything.

 

Thank you very much for your help in this matter; this is really a terrific site. Congratulations to all who run it.

Plumber1

 

Hijackthis Log

 

Logfile of HijackThis v1.97.7

Scan saved at 2:00:10 PM, on 03/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\RDS1\Local Settings\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

Share this post


Link to post
Share on other sites

Fabulous! All is working and cleaned up. New notepad files installed and the specified line removed by HijackThis. I am a happy boy! :D

 

One small question; you kept referring to SpyKiller and to get rid of it. To my knowledge it is not on my machine. I have spybot - search and destroy which I thought was recommended software by this site. Has it been hijacked? Do I have SpyKiller somewhere on this machine and cannot find it?

 

Again thank you for the help!

Share this post


Link to post
Share on other sites

 

Do I have SpyKiller somewhere on this machine and cannot find it? 

 

 

Hijackthis Log

 

Logfile of HijackThis v1.97.7

Scan saved at 2:00:10 PM, on 03/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

 

Stay out of trouble ;)

Share this post


Link to post
Share on other sites

Glad we could help :D

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0