Jump to content


Photo

CWS Searchx


  • This topic is locked This topic is locked
23 replies to this topic

#1 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 June 2004 - 02:22 PM

okay, let's see if i've done everything to get started: have read the FAQ's, have updated and run adaware and spybot and hijackthis, have tried CWS shredder but since it doesn't permanently solve the problem i've recently stopped trying. my computer has been infected with this thing for months now and i feel like i've tried so many things. i am just at a loss. and i am also really, REALLY clueless when it comes to computer jargon so please be gentle. i will be eternally grateful if someone can help me get rid of this nightmare of a problem. here is my newest hijackthis log.



Logfile of HijackThis v1.98.0
Scan saved at 12:20:11 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Sony\Keyboard Closure Setup\KSWServ.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Christ\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Christ\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Christ\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Christ\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Christ\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Christ\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Christ\Application Data\Mozilla\Profiles\default\hst1m92n.slt\prefs.js)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF19239E-869C-474B-BA75-CB7EE644BA93} - C:\WINDOWS\System32\ddeec.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Keyboard Closure Setup.lnk = ?
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtange...soft/wtinst.cab
O18 - Filter: text/html - {4782E12A-8132-4D0B-9BE4-35243DD50723} - C:\WINDOWS\System32\ddeec.dll
O18 - Filter: text/plain - {4782E12A-8132-4D0B-9BE4-35243DD50723} - C:\WINDOWS\System32\ddeec.dll

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 June 2004 - 02:30 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 June 2004 - 03:03 PM

thanks for responding so quickly, daemon. ok, here's what was in the value box when i did the reglite stuff:

c:\windows\system32\respj.dll

and here is the log file:


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Tue 06/29/2004
1:02pm up 0 days, 1:03

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\RESPJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESPJ.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

No matches found.

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access CHRISTINE\Christ
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access CHRISTINE\Christ


╗╗Member of...: (Admin logon required!)
User is a member of group CHRISTINE\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗ Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x CHRISTINE\Christ
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: CHRISTINE\Christ

Primary Group: CHRISTINE\None



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
1:03pm up 0 days, 1:04
Tue 06/29/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-29-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-29-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLsnit_└   c
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows=
AppInit
DLLsnit
DeviceNotSelectedTimeout
GDIProcessHandleQuotaout
SpoolerQ
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotaut

**File C:\FINDnFIX\WIN.TXT
regf       Pugf


#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 June 2004 - 03:13 PM

Open the FINDnFIX folder and then open the keys1 folder. Right-click on the MOVEit.bat file and select 'edit'. That will open the file as an empty text file - copy and paste this line into the blank file:

move %WinDir%\System32\RESPJ.DLL %SystemDrive%\junkxxx\RESPJ.DLL

Save the file and close. The next step will cause a restart. Still in the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.



Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, skip that step and proceed this way instead. In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the RESPJ.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.

Posted Image

#5 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 June 2004 - 04:52 PM

i didn't encounter any problems so here is the log once again...


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Tue 06/29/2004
2:50pm up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s)...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
\\?\C:\WINDOWS\System32\RESPJ.DLL +++ File read error

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

fgrep: no files found for C:\JUNKXXX\*.*

move %WinDir%\System32\RESPJ.DLL %SystemDrive%\junkxxx\RESPJ.DLL


File not found - C:\junkxxx\*.*

╗╗Permissions:
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x CHRISTINE\Christ
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: CHRISTINE\Christ

Primary Group: CHRISTINE\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access CHRISTINE\Christ
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access CHRISTINE\Christ



---------- WIN.TXT
AppInit_DLLsnit_└   c

---------- NEWWIN.TXT
AppInit_DLLsnit_└   c
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001330: 01 00 00 00 01 00 28 00 . 5F 44 4C 4C 73 6E 69 74 ......(. _DLLsnit
**File C:\FINDnFIX\NEWWIN.TXT
regf       Pugf

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 30 June 2004 - 01:57 AM

The file didn't move for some reason. Could you repeat my earlier post but this time use the approach in itallics. If the junkxxx folder doesn't exist, create it with Explorer.
Posted Image

#7 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 June 2004 - 08:23 PM

well, i tried it once more with the italics but it still says it doesn't exist. how do i create it with explorer? :scratchhead:

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 July 2004 - 03:35 PM

Click Start>Programs>Acessories>Windows Explorer

Navigate to C:\

Click File>New>Folder and name it Junkxxx
Posted Image

#9 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 July 2004 - 04:21 PM

okay, i've done that and now i see a "junkxxx" folder in C: and i've gone through the steps once more. here's the log.



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Thu 07/01/2004
2:19pm up 0 days, 0:00

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s)...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
\\?\C:\WINDOWS\System32\RESPJ.DLL +++ File read error

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

fgrep: no files found for C:\JUNKXXX\*.*

move %WinDir%\System32\RESPJ.DLL %SystemDrive%\junkxxx\RESPJ.DLL

File not found - C:\junkxxx\*.*

╗╗Permissions:
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x CHRISTINE\Christ
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: CHRISTINE\Christ

Primary Group: CHRISTINE\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access CHRISTINE\Christ
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access CHRISTINE\Christ



---------- WIN.TXT
AppInit_DLLsnit_└   c

---------- NEWWIN.TXT
AppInit_DLLsnit_└   c
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001330: 01 00 00 00 01 00 28 00 . 5F 44 4C 4C 73 6E 69 74 ......(. _DLLsnit
**File C:\FINDnFIX\NEWWIN.TXT
regf       n s t a l l K B 8 2 0 2 9 1 $ 8 * $ N t U n i n s t a l l K B 8 2 1 2 5 3 $ 8 * $ N t U n i n s t a l l K B 8 2 2 6 0 3 $ 8 * $ N t U n i n s t a l l K B 8 2 3 1 8 2 $ 8 * $ N t U n i n s t a l l K B 8 2 4 1 0 5 $ 8 * $ N t U n i n s t a l l K B 8 2 4 1 4 1 $ 8 * $ N t U n i n s t a l l K B 8 2 5 1 1 9 $ 8 * $ N t U n i n s 7u`f

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 July 2004 - 04:32 PM

It's still hanging in there:

1. In the keys1 folder, double click on FIX.bat - allow it to reboot.

2. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the RESPJ.DLL file. Highlight the file and using top menu, click Edit>Move to folder...

Select C:\junkxxx as destination. Move the file.

3. Open the FINDnFIX folder again and double-click on RESTORE.bat - post the contents of the new Log1.txt in your next reply.
Posted Image

#11 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 July 2004 - 12:28 PM

i looked in explorer and the system32 folder, but i don't see a Respj file anywhere. what should i do?

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 July 2004 - 12:57 PM

Could you do this again:

paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.


If it's still there I may have to enlist freeatlast's help to understand why it's not moving.
Posted Image

#13 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 July 2004 - 03:22 PM

here's what was in the value box:

c:\windows\system32\respj.dll



it looks like it's still there... :wtf:

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 04:10 PM

Hi there!

Based on your logs and results you have a special rare variant there
which I've seen before once or twice.

You are going to have to follow these steps, instead

-Open the FINDnFIX\Keys1\ Subfolder.
-Find And DoubleClick on this file:
"windr1.reg"< And answer yes to the prompt!

-Restart your computer!
-Find and be sure there is a C:\junkxxx folder,
Locate the "RESPJ.DLL" file in system32 and use the folder's top menu:
Edit>move to folder...
Select the C:\junkxxx as destination and move it there!

-When the file is successfully moved, go back to the
FINDnFIX\Keys1 Subfolder, And DoubleClick on the
following files in this exact order, hitting 'yes' on the prompt:

1.) winkey.reg
2.) winclean.reg

When done, go back to main FINDnFIX folder,
run the "RESTORE.bat" file and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 July 2004 - 04:55 PM

hi, freeatlast. thank you for assisting also. i think i've followed the directions correctly and this time i did find the respj.dll file. here's the log:


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Fri 07/02/2004
2:53pm up 0 days, 0:03

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s)...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
* result\\?\C:\junkxxx\RESPJ.333

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

C:\JUNKXXX\
respj.333 Wed Mar 24 2004 1:34:14p A.... 21,504 21.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 21,504 bytes 21.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\RESPJ.333
**File C:\JUNKXXX\RESPJ.333
0000532A: 67 44 65 76 69 63 65 00 . 00 00 00 D0 00 00 0C 00 gDevice. ...đ....

move %WinDir%\System32\RESPJ.DLL %SystemDrive%\junkxxx\RESPJ.DLL

--a-- W32i - - - - 21,504 03-24-2004 respj.333
A C:\junkxxx\respj.333
File: <C:\junkxxx\respj.333>

CRC-32 : 2258F59E

MD5 : EFEE2CB3 B342A351 51802356 9637F8E6




╗╗Permissions:
C:\junkxxx\respj.333 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
CHRISTINE\Christ:F
BUILTIN\Users:R

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x CHRISTINE\Christ
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: CHRISTINE\Christ

Primary Group: CHRISTINE\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\respj.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x CHRISTINE\Christ
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: CHRISTINE\Christ

Primary Group: CHRISTINE\None


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access CHRISTINE\Christ
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access CHRISTINE\Christ



---------- WIN.TXT
AppInit_DLLsnit_└   c

---------- NEWWIN.TXT
AppInit_DLLsoutQ└
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001330: 01 00 00 00 01 00 28 00 . 5F 44 4C 4C 73 6F 75 74 ......(. _DLLsout
**File C:\FINDnFIX\NEWWIN.TXT
regf       Pugf

#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 July 2004 - 05:17 PM

Thanks FAL :cool: - I had a bit more spinning on the spot with this one :p

OK camice, nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#17 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 July 2004 - 05:49 PM

i've encountered a bit of a problem. everything was going fine until the email part, when i realized the email client it went to automatically was Outlook Express and i hadn't made an account there yet. so obviously, i couldn't send the email. and i can't send it through hotmail which is what i normally use. what should i do? :oops:

#18 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 July 2004 - 05:10 AM

Just carry on without the email. I expect FAL has a reasonable collection now :p
Posted Image

#19 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 July 2004 - 12:21 PM

oh, good. i was worried for a while. :D well, so far all seems to be working normal again. thanks so much you guys! daemon, i owe you my first born. :wave:


Logfile of HijackThis v1.98.0
Scan saved at 10:18:00 AM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Sony\Keyboard Closure Setup\KSWServ.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Christ\Application Data\Mozilla\Profiles\default\hst1m92n.slt\prefs.js)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Keyboard Closure Setup.lnk = ?
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtange...soft/wtinst.cab

#20 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 06 July 2004 - 02:09 AM

:D Glad we could help.

My bar is questionable - let me know if you want to remove it. Other than that it looks OK now.
Posted Image

#21 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 08 July 2004 - 12:29 PM

actually, i think i would like to remove it. if you can help me with this too, i'll appreciate it to no end. :p

#22 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 08 July 2004 - 01:47 PM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)


Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\Program Files\MyWay\ <-- folder

Reboot when done, rescan with HJT and post a new log here for a final check over.
Posted Image

#23 camice

camice

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 09 July 2004 - 04:40 PM

here's the log. but i have one question, should i leave the settings about hidden folders the way i changed them now, or change it back? :huh:


Logfile of HijackThis v1.98.0
Scan saved at 2:38:34 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Sony\Keyboard Closure Setup\KSWServ.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Christ\Application Data\Mozilla\Profiles\default\hst1m92n.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1501.0\en-us\msntb.dll
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Keyboard Closure Setup.lnk = ?
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtange...soft/wtinst.cab

#24 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 09 July 2004 - 04:52 PM

You don't need to change them back.

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button