• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
triplem

I give up. Need Help w/about.blank

19 posts in this topic

I have done everything I know to do, and read forum after forum, but cannot get rid of it. Run ad aware, sypbot, spysweeper in safe mode, find infected files, delete them. Then run hijackthis, find the bad entries, but hijackthis errors out, cannot repair. Here is the error message from hijackthis.

 

An unexpected error has occurred at procedure: cmdFix_Click()

Error #75 - Path/File access error (28 items in results list)

Please email me at merijn@spywareinfo.com, reporting the following:

* What you were doing when the error occurred

* How you can reproduce the error

* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195

MSIE version: 6.0.2800.1106

HijackThis version: 1.98.0

This message has been copied to your clipboard.

 

Here is my latest hijackthis log, with nothing ignored.

 

Logfile of HijackThis v1.98.0

Scan saved at 4:57:21 PM, on 7/1/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\System32\mspmspsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\mqsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe

C:\WINDOWS\system32\mobsync.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\SPYWARE TOOLS\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7DBACA28-97F0-4CEC-A115-E1C552F3DFB9} - c:\windows\system32\lmofj.dll (file missing)

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [sPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

Share this post


Link to post
Share on other sites

After I posted yesterday, and got no replies, I tried again this morning. I thought I had it gone. Worked on my computer for more than four hours today, with no problems. Went to spyware warrior forum looking around, and was hijacked while I was there. I have read the FAQ, and followed the instructions yesterday and today. I ran ad aware three times and spy bot once, both in safe mode. They both show clean. Rebooted and ran hijack this. Here is the log. Please, Please Help.

 

Logfile of HijackThis v1.98.0

Scan saved at 3:50:55 PM, on 7/2/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\System32\mspmspsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E5195BE-25C9-44C7-A2D9-1BCB1E7B6CD4} - c:\windows\system32\cck.dll (file missing)

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [sPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

Share this post


Link to post
Share on other sites

Re-download HijackThis (don't use the update feature, you must get a NEW copy) A patched version was released today.

 

Open Control Panel>Add/Remove applet and uninstall Weather Bug <----<---Optional but Highly recommended to remov. While not spyware itself it can open you up to attacks

 

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present

C:\Program Files\AWS\WeatherBug\Weather.exe

Put a check next to these in hijackthis:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {7E5195BE-25C9-44C7-A2D9-1BCB1E7B6CD4} - c:\windows\system32\cck.dll (file missing)

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 <---Optional

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <---Optional but Highly recommended to remove not needed at start and huge resource hog

 

THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

 

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-

 

C:\Program Files\AWS\ <---Optional, only delete if removed above in 04)ENTIRE FOLDER!!

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

[*]C:\Windows\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

[*]Empty your "Recycle Bin"

 

If you already have and use Ad-Aware make sure you are updated and use the setting in the 'speech' below:

Now download Ad-Aware at http://www.lavasoftusa.com/support/download/

After installing AAW, and before running the program, FIRST update the reference file following these instructions.

- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

 

Now do the following:

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

 

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys. Click 'Next' again

Right-click in that pane and choose "select all"

 

If it finds "bad" files and registry keys, press "Next" again

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

Make sure you have version 1.3 of Spybot as 1.2 is no longer updated.

Go here download Spybot S&D. Install Spybot, close all other windows and run it. ALWAYS use the search for update button when you first open Spybot. Let Spybot download and install any updates it finds..Now you are ready to click the Check for problems button. Let Spybot fix any entries marked in RED

 

Then Reboot and post a fresh log back to this thread.

Share this post


Link to post
Share on other sites

jwbirdsong.

Followed your above instructions. Ran AAW, found problems, let AAW fix them.

Rebooted, ran Spybot 1.3 w/updates, found no problems. Ran AAW again, this time found no problems. Here is latest hijackthis log. version 1.98.

 

Logfile of HijackThis v1.98.0

Scan saved at 2:06:26 PM, on 7/6/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\System32\mspmspsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\mqsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7D99A9BC-DAA7-409B-964E-948439C1344C} - c:\my downloads\backups\backup-20040630-192210-991.dll (file missing)

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\Run: [Eoth] C:\Documents and Settings\Michael.DOMAIN\Application Data\cocc.exe

O4 - HKCU\..\Run: [sPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

O18 - Filter: text/html - {F007AF03-2045-4F0B-B84B-B4EEB6E28B0A} - c:\my downloads\backups\backup-20040630-192210-991.dll

O18 - Filter: text/plain - {F007AF03-2045-4F0B-B84B-B4EEB6E28B0A} - c:\my downloads\backups\backup-20040630-192210-991.dll

Share this post


Link to post
Share on other sites

Here are the latest FindnFix and hijackthis logs.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows 2000 [Version 5.00.2195]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894

The type of the file system is NTFS.

C: is not dirty.

 

Tue 07/06/2004

6:08pm up 0 days, 0:38

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\CTLO.DLL +++ File read error

\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

CTLO.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

ctlo.dll Fri Jun 18 2004 7:47:14p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\CTLO.DLL

 

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... CTLO.DLL .....57344 18.06.2004

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group DOMAIN\Domain Admins.

User is a member of group \Everyone.

User is a member of group COMPAQDPMM\Debugger Users.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

User is a member of group \LOCAL.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Tue Jun 29 2004 6:33:32p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows ® 2000 Operating System

ProductVersion 5.00.2140.1

FileVersion 5.00.2140.1

LegalCopyright Copyright © Microsoft Corp. 1981-1999

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050000:085c0001 (5.0:2140.1)

ProdVer: 00050000:085c0001 (5.0:2140.1)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000013 tco- 001F01FF ---- DSPO rw+x COMPAQDPMM\MICHAEL

 

Owner: BUILTIN\Administrators

 

Primary Group: DOMAIN\Domain Admins

 

 

 

»»»»»»Backups created...»»»»»»

6:11pm up 0 days, 0:41

Tue 07/06/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 07-06-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-06-2004 winkey.reg

 

»»Performing string scan....

00001150: ?

00001190: 8 P

000011D0: vk : AppInit_DLLsc 0 C : \ W I N D O W S

00001210:\ s y s t e m 3 2 \ c t l o . d l l vk h \

00001250:DeviceNotSelectedTimeout 1 5 ` 0 vk

00001290: ' GDIProcessHandleQuota vk

000012D0:Spooler y e s , vk , swapdisk

00001310: vk @ TransmissionRetryTimeout 9 0 `

00001350: vk ' " USERProcessHandleQuota

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- WIN.TXT

AppInit_DLLsc

--------------

--------------

C:\WINDOWS\system32\ctlo.dll

yes

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

 

**File C:\FINDnFIX\WIN.TXT

àÿÿÿÐ 8 ˆ ¸ ð P Øÿÿÿvk : ø AppInit_DLLsc 0 ÀÿÿÿC : \ W I N D O W S \ s y s t e m 3 2 \ c t l o . d l l Ðÿÿÿvk h \ DeviceNotSelectedTimeoutàÿÿÿ1 5 `å °å èå 0 Ðÿÿÿvk €' GDIProcessHandleQuota àÿÿÿvk Ø Spooler èÿÿÿy e s , ¯

 

 

Logfile of HijackThis v1.98.0

Scan saved at 6:13:53 PM, on 7/6/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\System32\mspmspsv.exe

C:\WINDOWS\System32\mqsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MICHAE~1.DOM\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {58911F4B-CE36-457B-9191-D6A8EA662455} - c:\windows\system32\odenkia.dll (file missing)

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\Run: [Eoth] C:\Documents and Settings\Michael.DOMAIN\Application Data\cocc.exe

O4 - HKCU\..\Run: [sPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

Share this post


Link to post
Share on other sites

This will take couple or more steps to fix.

Be sure to Follow the next set of steps carefully, in

the exact order specified:

 

 

-Open the FINDnFIX\Keys1 Subfolder!

- Locate the "MOVEit.bat" file, Right-Click on

it,select->edit:

The file will open as text file.

-Copy and paste the entire hilited line in the following quote box

(all one line) into the 'MOVEit' file, replacing it's contents:

move %WinDir%\System32\CTLO.DLL %SystemDrive%\junkxxx\CTLO.DLL

 

 

Be sure to Replace the text in the file with

the command above!

 

 

-Save the file and close.

 

*Get ready to restart your computer:

-In the same folder, DoubleClick on the "FIX.bat" file.

You will be prompted by popup -Alert to restart in 15 seconds.

-Allow it to restart the computer!

 

-On restart, Navigate to:

C:\FINDnFIX\ main folder:

-DoubleClick on the "RESTORE.bat" file.

 

It'll run and produce new log. (log1.txt) post it here!

 

We need to get rid of your temp.sp.html then finish cleaning up HJTlog

Share this post


Link to post
Share on other sites

When I right click MOVEit.bat, I do not get an edit option. I get

 

Scan with Norton Anti virus

Winzip

Send to

Cut

Copy

Create Shortcut

Delete

Rename

Properties

 

Am I not understanding your instructions?

Thanks

Share this post


Link to post
Share on other sites

No you understand just fine...some "hacked " version of XP dont have the edit option..

 

You can either manualy open Moveit.bat w/ notepad and make the replacement OR do the following in the quote box

 

*Get ready to restart:

- DoubleClick on the "FIX.bat" file in the 'FINDnFIX'\Keys1 Subfolder.

-Wait for the  popup -Alert to restart your computer in 15 seconds.

 

On restart, navigate to System32 folder:

-Locate and select the "SQLIGCTLO.DLL" file (as it will be visible)

And use the folder's top menu>edit>

move to folder...

Select the C:\junkxxx as destination and move

the "SQLIGCTLO.DLL" there.

--------------------------------------------------------------

 

Run  the "RESTORE.bat", file , wait for

and post the 'log1.txt' file!

 

Edited canned speech :blush: :whistle:

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

Make sure you are set to show hidden files and folders:

Show Hidden Files and Folders

 

Sorry I used a canned fix and didn't change here is proper option 2

 

*Get ready to restart:

- DoubleClick on the "FIX.bat" file in the 'FINDnFIX'\Keys1 Subfolder.

-Wait for the  popup -Alert to restart your computer in 15 seconds.

 

On restart, navigate to System32 folder:

-Locate and select the "CTLO.DLL" file (as it will be visible)

And use the folder's top menu>edit>

move to folder...

Select the C:\junkxxx as destination and move

the "CTLO.DLL" there.

--------------------------------------------------------------

 

Run  the "RESTORE.bat", file , wait for

and post the 'log1.txt' file!

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

Show hidden files and folders is enabled. Ran above instructions, but ctlo.dll is not in system32. We already did this once. Ctlo.dll is in C:\junkxxx and is named ctlo.222. At this point, can I open MOVEit.bat in notepad, replace the text with the indicated text in your earlier post?

Thanks

Share this post


Link to post
Share on other sites

yes please

I didn't realise you had gotten that far because of mymis-labled instruction and you said

SQLIG.DLL wasn't found when I shoudl have had you looking for ctlo..Didn't realise you had proceeded..change Moveit and run Fix.bat then restore.bat on restart then post log1.txt

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

I was denied access to the site, after your last post last night. One hour drive to home, so I left.

 

Here is lastest FnF log.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Tue 07/06/2004

9:17pm up 0 days, 0:04

 

Microsoft Windows 2000 [Version 5.00.2195]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\JUNKXXX\CTLO.222

 

 

C:\JUNKXXX\

ctlo.222 Fri Jun 18 2004 7:47:14p A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\CTLO.222

 

**File C:\JUNKXXX\CTLO.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- CTLO .222 0000E000 19:47.14 18/06/2004

 

move %WinDir%\System32\CTLO.DLL %SystemDrive%\junkxxx\CTLO.DLL

 

 

 

--a-- W32i - - - - 57,344 06-18-2004 ctlo.222

A C:\junkxxx\ctlo.222

File: <C:\junkxxx\ctlo.222>CRC-32 : D5C9FB2EMD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

»»Permissions:

C:\junkxxx\ctlo.222 Everyone:(special access:) SYNCHRONIZE

FILE_EXECUTE

 

NT AUTHORITY\SYSTEM:F

BUILTIN\Administrators:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000013 tco- 001F01FF ---- DSPO rw+x COMPAQDPMM\MICHAEL

 

Owner: BUILTIN\Administrators

 

Primary Group: DOMAIN\Domain Admins

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000003 tco- 001F01FF ---- DSPO rw+x COMPAQDPMM\MICHAEL

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

File "C:\junkxxx\ctlo.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: BUILTIN\Administrators

 

Primary Group: DOMAIN\Domain Admins

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Tue Jun 29 2004 6:33:32p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Tue Dec 7 1999 7:00:00a A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows ® 2000 Operating System

ProductVersion 5.00.2140.1

FileVersion 5.00.2140.1

LegalCopyright Copyright © Microsoft Corp. 1981-1999

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050000:085c0001 (5.0:2140.1)

ProdVer: 00050000:085c0001 (5.0:2140.1)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

00001150: ?

00001190: X

000011D0: vk \ DeviceNotSelectedTimeout 1 5 `

00001210: 0 vk ' GDIProcessHandleQuota

00001250:eQuotask vk x Spooler y e s ,

00001290: vk , swapdisk vk Transmis

000012D0:sionRetryTimeout 9 0 ` vk ' " USERProc

00001310:essHandleQuota vk AppInit_DLLsouts

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- WIN.TXT

AppInit_DLLsc

 

---------- NEWWIN.TXT

AppInit_DLLsouts¸

--------------

yes

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

00001338: 01 00 00 00 01 00 02 00 . 5F 44 4C 4C 73 6F 75 74 ........ _DLLsout

**File C:\FINDnFIX\NEWWIN.TXT

àÿÿÿÐ X ? ° ð Ðÿÿÿvk \ DeviceNotSelectedTimeoutàÿÿÿ1 5 `å °å èå 0 Èÿÿÿvk €' GDIProcessHandleQuota eQuotaskàÿÿÿvk x Spooler èÿÿÿy e s , ¯ ¯àÿÿÿvk € , swapdiskÐÿÿÿvk à TransmissionRetryTimeoutðÿÿÿ9 0 `è Ðÿÿÿvk €' " USERProcessHandleQuota Øÿÿÿvk € AppInit_DLLsouts¸ ÿÿÿÿ

Share this post


Link to post
Share on other sites

what I need is a copy of log.1 from this operation (should have been last thing you did , yes?? )

-DoubleClick on the "RESTORE.bat" file.

 

It'll run and produce new log. (log1.txt) post it here!

please disregard and see next post.

Were getting there!

 

PS for what it's worth...everyone was denied access just after my last post; they turned the whole site off for an hour or two.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

please disreguard last post; I worked 14 hr day and was to tired to do a log, I guess; all I saw was the HJT log...sorry.. Here is next step

 

Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip)

 

When done, restart your computer and

Delete and entire 'FINDnFIX' file+folder(s)

From C:\, and be sure the C:\junkxxx folder

was deleted (as part of the cleanup process)

 

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular,

CWShredder.exe and fully updated Ad-Aware!

 

AdAware download and SETTINGS:

Now download Ad-Aware at http://www.lavasoftusa.com/support/download/

After installing AAW, and before running the program, FIRST update the reference file following these instructions.

- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

 

Now do the following:

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

 

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys. Click 'Next' again

Right-click in that pane and choose "select all"

 

If it finds "bad" files and registry keys, press "Next" again

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

Please post follow up hijackthis log when done!

Share this post


Link to post
Share on other sites

Followed above instructions. Here is latest Hijackthis log.

 

Logfile of HijackThis v1.98.0

Scan saved at 1:19:36 PM, on 7/8/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\System32\mspmspsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\mqsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\HIJACKTHIS1.98\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE

O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O17 - HKLM\System\CS2\Services\Tcpip\..\{4A8C572A-1294-4B38-934A-A2E6C204740E}: NameServer = 207.191.50.10,207.191.1.10

O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - (no file)

Share this post


Link to post
Share on other sites

Real sorry about the long delays in answering your las two or three post, started working crazy hour the day I started you log..Oh well I guess all left to say to......

Congratulations, your log is clean.

 

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

 

More info and download is available at link in my signature

 

And also see TonyKlein's good advice in

So how did I get infected in the first place?

Edited by jwbirdsong

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0