Jump to content


Photo

browser won't load any site


  • Please log in to reply
9 replies to this topic

#1 kingme2

kingme2

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 03:10 PM

I followed just about every step I read about on this site to kill these problems, but the home page still wants to revert back to some funky dll name. Now I can't get the browser to load any site. It just sits there churning away no matter what address I type in. Every time I open or close the browser, spybot captures some process trying to modify my home page/search page.

I'm having to enter this message on my laptop (which is on the same network, so network conditions are fine).

Thanks for the great site to help out these extremely annoying problems!

Here is my hijack file:

Logfile of HijackThis v1.97.7
Scan saved at 4:08:07 PM, on 7/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\termsrv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RsFsa.exe
D:\WINNT\system32\RsSub.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
D:\WINNT\System32\lserver.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\twain_32\paprport\3100b\flatbed.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Messenger\msmsgs.exe
G:\downloads\FreeRAM XP Pro 1.40.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\WINNT\system32\taskmgr.exe
D:\Program Files\Navnt\navapw32.exe
D:\MSSQL7\Binn\sqlmangr.exe
D:\America Online 5.0a\aoltray.exe
D:\Program Files\Palm\HotSync.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\ipsr.exe
D:\WINNT\system32\iprw32.exe
D:\Program Files\Outlook Express\msimn.exe
G:\downloads\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {FA1A733B-146C-5CE8-33DC-846D60FEAB54} - D:\WINNT\msxe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [PowerQuest Startup Utility] D:\Program Files\PowerQuest\PartitionMagic4\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [NPS Event Checker] D:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] D:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [PP3100b] D:\WINNT\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ipsr.exe] D:\WINNT\ipsr.exe
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeRAM XP] "G:\downloads\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = D:\America Online 5.0a\aoltray.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HotSync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\frontpage2002\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yaho...bar/yiebio3.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yaho...bar/yiebio3.cab

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 02 July 2004 - 11:35 PM

The biggest security risk you have is that you are still running IE5. You need to download and install IE6 sp1.

http://www.microsoft...p1/default.mspx

Download About:Buster by RubbeR DuckY from

http://www.atribune....AboutBuster.zip

Then Unzip it to your desktop. Do not run it yet. Print these directions or paste them into a text document as you will be running with your internet explorer closed. Restarting internet explorer may cause a reinfection.

Run another hijackthis scan place a check next to the following entries.

O2 - BHO: (no name) - {FA1A733B-146C-5CE8-33DC-846D60FEAB54} - D:\WINNT\msxe.dll
O4 - HKLM\..\Run: [ipsr.exe] D:\WINNT\ipsr.exe

Then close all windows and click the fix checked button. Now startup About:Buster. Hit ok on the first prompt and then hit start. Next hit ok. Wait till the scan completes and copy the report and save it somewhere. Rerun About:Buster to make sure everything was deleted. Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.
Posted Image

#3 kingme2

kingme2

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 July 2004 - 09:19 PM

Great! Thanks for the help! You guys are the best!

I think things are looking up. Here is my latest hijack:

Logfile of HijackThis v1.97.7
Scan saved at 10:21:44 PM, on 7/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\termsrv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RsFsa.exe
D:\WINNT\system32\RsSub.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
D:\WINNT\System32\lserver.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\twain_32\paprport\3100b\flatbed.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Messenger\msmsgs.exe
G:\downloads\FreeRAM XP Pro 1.40.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Navnt\navapw32.exe
D:\MSSQL7\Binn\sqlmangr.exe
D:\America Online 5.0a\aoltray.exe
D:\Program Files\Palm\HotSync.exe
G:\downloads\HijackThis.exe
D:\Program Files\Outlook Express\msimn.exe
G:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ADMINI~1.ATI\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ADMINI~1.ATI\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ADMINI~1.ATI\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [PowerQuest Startup Utility] D:\Program Files\PowerQuest\PartitionMagic4\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [NPS Event Checker] D:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] D:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [PP3100b] D:\WINNT\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeRAM XP] "G:\downloads\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = D:\America Online 5.0a\aoltray.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HotSync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\frontpage2002\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yaho...bar/yiebio3.cab

#4 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 04 July 2004 - 01:17 PM

Looks like the infection has changed to a slightly diferent version.

Download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results here.

http://downloads.sub...rg/FINDnFIX.exe
Posted Image

#5 kingme2

kingme2

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 11:49 PM

ok, hanks again. These darn tricky bugs:


*** freeatlast100.100free.com ***

Microsoft Windows 2000 [Version 5.00.2195]
IE build and last SP(s)
6.0.2800.1106 SP1
The type of the file system is NTFS.
D: is not dirty.

Mon 07/05/2004
0:42am up 1 day, 2:45

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...

D:\WINNT\System32\D3DNID.DLL +++ File read error
\\?\D:\WINNT\System32\D3DNID.DLL +++ File read error

(*2*) ........
**File D:\FINDnFIX\LIST.TXT
D3DNID.DLL Can't Open!

(*3*) ........

D:\WINNT\SYSTEM32\
d3dnid.dll Tue Jun 8 2004 11:35:28p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

D:\WINNT\SYSTEM32\
gancg.dll Mon Jun 7 2004 3:31:30p A.SH. 71,168 69.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 71,168 bytes 69.50 K

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\WINNT\SYSTEM32\D3DNID.DLL
Sniffed -> D:\WINNT\SYSTEM32\GANCG.DLL


(***5***)
**File D:\WINNT\SYSTEM32\DLLXXX.TXT
Access denied ..................... D3DNID.DLL .....57344 08.06.2004
*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group ATILLA\None.
User is a member of group \Everyone.
User is a member of group ATILLA\OLAP Administrators.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Notepad check....

D:\WINNT\
notepad.exe Tue Dec 7 1999 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

D:\WINNT\SYSTEM32\
notepad.exe Tue Dec 7 1999 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

D:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue Dec 7 1999 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "D:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: ATILLA\None



Backups created...
0:44am up 1 day, 2:47
Mon 07/05/2004

A D:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-05-2004 winback.hiv
A D:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-05-2004 winkey.reg

Performing 16bit string scan....
00001150: ?
00001190: H x
000011D0: vk r DeviceNotSelectedTimeout 1 5
00001210: P vk ' c GDIProcessHandleQuota o vk
00001250: h n Spooler y e s n i vk "
00001290:swapdisk vk 3 TransmissionRetryTimeout 9 0
000012D0: vk ' e USERProcessHandleQuotav vk
00001310:: 0 AppInit_DLLsel E D : \ W I N N T \ S y s t e
00001350:m 3 2 \ d 3 d n i d . d l l
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLselED
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""


**File D:\FINDnFIX\WIN.TXT
          H x    vk     r DeviceNotSelectedTimeout1 5    P vk  '   c GDIProcessHandleQuota o vk  h   n Spooler y e s n i vk    " swapdiskvk     3 TransmissionRetryTimeout9 0   vk  '   e USERProcessHandleQuotav vk : 0   AppInit_DLLselED : \ W I N N T \ S y s t e m 3 2 \ d 3 d n i d . d l l ?

#6 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 05 July 2004 - 11:37 AM

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

-Open the "FINDnFIX\Keys1" Subfolder!
-Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
-Copy and paste the entire highlighted line in the following bold text.
(all one line) into that blank 'MOVEit' file:

move %WinDir%\System32\D3DNID.DLL %SystemDrive%\junkxxx\D3DNID.DLL

-Save the file and close.
-Get ready to restart your computer.
-In the same folder, DoubleClick on the "FIX.bat" file.
-You will be prompted by popup Alert to restart in 15 seconds.
-Allow it to restart the computer!
-On restart, Navigate to: C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.
-It'll run and produce new log. (log1.txt) post it here!
Posted Image

#7 kingme2

kingme2

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 July 2004 - 09:00 AM

Ok, Thanks again! I seem to still have the old bug that wants to rewrite my home page. Spybot caught it. I'm including the log you just requested as well as a hijack this log that still shows some problems.

I haven't used the infected machine at all, so I don't imagine I got reinfected.


*** freeatlast100.100free.com ***

Tue 07/06/2004
9:51am up 0 days, 0:09

Microsoft Windows 2000 [Version 5.00.2195]
IE build and last SP(s)
6.0.2800.1106 SP1
The type of the file system is NTFS.
D: is not dirty.

***LOG1!***
Scanning for file(s) in System32...

(1)

(2)
**File D:\FINDnFIX\LIST.TXT

(3)

No matches found.

D:\WINNT\SYSTEM32\
gancg.dll Mon Jun 7 2004 3:31:30p A.SH. 71,168 69.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 71,168 bytes 69.50 K

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\WINNT\SYSTEM32\GANCG.DLL

(***5***)
**File D:\WINNT\SYSTEM32\DLLXXX.TXT

* Scanning for moved file... *
* result\\?\D:\JUNKXXX\D3DNID.222


D:\JUNKXXX\
d3dnid.222 Tue Jun 8 2004 11:35:28p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\JUNKXXX\D3DNID.222

**File D:\JUNKXXX\D3DNID.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......

A----- D3DNID .222 0000E000 23:35.28 08/06/2004

move %WinDir%\System32\D3DNID.DLL %SystemDrive%\junkxxx\D3DNID.DLL



--a-- W32i - - - - 57,344 06-08-2004 d3dnid.222
A D:\junkxxx\D3DNID.222
File: <D:\junkxxx\D3DNID.222>CRC-32 : D5C9FB2EMD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
Permissions:
D:\junkxxx\D3DNID.222 Everyone:(special access:) SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Directory "D:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: ATILLA\None

Directory "D:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "D:\junkxxx\D3DNID.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: ATILLA\None


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Notepad check....

D:\WINNT\
notepad.exe Tue Dec 7 1999 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

D:\WINNT\SYSTEM32\
notepad.exe Tue Dec 7 1999 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

D:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue Dec 7 1999 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: P
000011D0: vk r DeviceNotSelectedTimeout 1 5
00001210: P vk ' c GDIProcessHandleQuota o
00001250: vk p n Spooler y e s n i vk
00001290: " swapdisk vk 3 TransmissionRetryTimeout
000012D0: 9 0 vk ' e USERProcessHandleQuotav
00001310: vk W AppInit_DLLson P! p 4 _c
00001350: `bka
00001390: u ] ]
000013D0: 0 8 h 8 @ ^ P! P! b
00001410: b P Y p 4 _c b b
00001450:P Y P" Fga u u
00001490: 0 8 h 8 ^ P!
000014D0: P! b b P Y p 4 _c
00001510: b b P Y P" Fga
00001550:

---------- WIN.TXT
AppInit_DLLselED

---------- NEWWIN.TXT
AppInit_DLLson
**File D:\FINDnFIX\NEWWIN.TXT
**File D:\FINDnFIX\NEWWIN.TXT
00001328: 01 00 00 00 01 00 57 00 . 5F 44 4C 4C 73 6F 6E 00 ......W. _DLLson.
**File D:\FINDnFIX\NEWWIN.TXT
           P     vk     r DeviceNotSelectedTimeout1 5    P vk  '   c GDIProcessHandleQuota o vk  p   n Spooler y e s n i vk    " swapdiskvk     3 TransmissionRetryTimeout9 0   vk  '   e USERProcessHandleQuotav vk    W AppInit_DLLson P! p4_c  `bka  u ] ]    0 8 h 8   @ ^ P! P! b b PYp4_c   b b PYP"Fga   ? u u    0 8 h 8    ^ P! P! b b PYp4_c   b b PYP"Fga    ? (    ( (   p[ ?    0 0 ` 0   0 0 b P! P! |9_c  0.mbka  ̶      0 8 h 8   0 ^ P! P! pg pg ?Y |9_c   pg pg ?Y?Fga    ̶ ̶    0 8 h 8    ^ P! P! pg pg ?Y |9_c   pg pg ?Y?Fga     (    ( (   p[  ?    0 0 ` 0   0 0 ^ P! P! |9_c  0.mbka  #      ` 8 8 T



------------------------------------------------------------
HIJACK THIS LOG
------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:00:53 AM, on 7/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\termsrv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RsFsa.exe
D:\WINNT\system32\RsSub.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
D:\WINNT\System32\lserver.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\wuauclt.exe
D:\WINNT\twain_32\paprport\3100b\flatbed.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Messenger\msmsgs.exe
G:\downloads\FreeRAM XP Pro 1.40.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Navnt\navapw32.exe
D:\MSSQL7\Binn\sqlmangr.exe
D:\America Online 5.0a\aoltray.exe
D:\Program Files\Palm\HotSync.exe
D:\WINNT\system32\taskmgr.exe
G:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ADMINI~1.ATI\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ADMINI~1.ATI\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ADMINI~1.ATI\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {C139F89E-979B-4E2F-A916-16BCC3D78324} - (no file)
O2 - BHO: (no name) - {FA1A733B-146C-5CE8-33DC-846D60FEAB54} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [PowerQuest Startup Utility] D:\Program Files\PowerQuest\PartitionMagic4\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [NPS Event Checker] D:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] D:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [PP3100b] D:\WINNT\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeRAM XP] "G:\downloads\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = D:\America Online 5.0a\aoltray.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HotSync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\frontpage2002\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37...m::/on-line.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yaho...bar/yiebio3.cab

#8 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 07 July 2004 - 01:34 PM

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.
When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.
Post a follow up HijackThis log when done!
Posted Image

#9 kingme2

kingme2

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 July 2004 - 10:55 AM

Wow, this is some nasty bugs. Did what you posted and here is the latest hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 11:56:31 AM, on 7/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\termsrv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\RsFsa.exe
D:\WINNT\system32\RsSub.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
D:\WINNT\System32\lserver.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\wuauclt.exe
D:\WINNT\twain_32\paprport\3100b\flatbed.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Messenger\msmsgs.exe
G:\downloads\FreeRAM XP Pro 1.40.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Navnt\navapw32.exe
D:\MSSQL7\Binn\sqlmangr.exe
D:\America Online 5.0a\aoltray.exe
D:\Program Files\Palm\HotSync.exe
D:\Program Files\Outlook Express\msimn.exe
G:\downloads\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {C139F89E-979B-4E2F-A916-16BCC3D78324} - (no file)
O2 - BHO: (no name) - {FA1A733B-146C-5CE8-33DC-846D60FEAB54} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [PowerQuest Startup Utility] D:\Program Files\PowerQuest\PartitionMagic4\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [NPS Event Checker] D:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] D:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [PP3100b] D:\WINNT\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeRAM XP] "G:\downloads\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = D:\America Online 5.0a\aoltray.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HotSync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\frontpage2002\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yaho...bar/yiebio3.cab

#10 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 08 July 2004 - 01:42 PM

Have hijackthis fix these two entries.
O2 - BHO: (no name) - {C139F89E-979B-4E2F-A916-16BCC3D78324} - (no file)
O2 - BHO: (no name) - {FA1A733B-146C-5CE8-33DC-846D60FEAB54} - (no file)

Download coolweb shredder, unzip and click fix.

Download the latest version of Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
http://www.lavahelp....dref/index.html
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Then lets see one more hijackthis log.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button