Jump to content


Photo

about:blank Hijack is driving me NUTS


  • Please log in to reply
8 replies to this topic

#1 raindog

raindog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 06:01 PM

I picked this up on the web like everyone else.
I looked at several other victim’s HijackThis logs but I couldn’t find one the same.

I have the usual symptoms.
Home page repeatedly changed to about:blank. Apparent home page is a generic anonymous looking “Search For” page.
I get pop-up windows trying to sell me Spyware removal tools, of all things.
And I can get these pages and pop-ups even when not connected to the net!

Memory usage is high. Performance is very slow.

I first ran Adaware, which detected evidence of a possible browser hijack attempt. Adaware could remove the Registry settings, but they come back immediately and without a reboot.

I downloaded & ran Spybot with similar results. It found and fied a few spybots but not this one.

I finally downloaded and ran HijackThis. I tried “fixing” the same old registry keys and they reappear.

My Log file is below (I know I should move this program to C:\HJT\. I just didn’t know it then.):

Logfile of HijackThis v1.98.0
Scan saved at 8:18:49 PM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Documents and Settings\Kevin Dana\Desktop\HJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KEVIND~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KEVIND~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KEVIND~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KEVIND~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KEVIND~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KEVIND~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A279A580-84E5-4A48-9F9F-1FCD81222D4B} - C:\WINNT\system32\ajdnke.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O18 - Filter: text/html - {D0E05B66-618C-4155-A343-EA32DFE3D8F8} - C:\WINNT\system32\ajdnke.dll
O18 - Filter: text/plain - {D0E05B66-618C-4155-A343-EA32DFE3D8F8} - C:\WINNT\system32\ajdnke.dll


Interesting feature: the HijackThis log show a line that reads “F0 - system.ini: Shell= “ (No Shell?)
I wonder if the actual shell is a hidden file or if malware is somehow preventing the name from going to HijackThis.
I also wonder about wfxsnt40.exe and ajdnke.dll
Or it could be any one of the other fixes. I’m way beyond my depth here.

Help.
Please.

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 July 2004 - 06:20 PM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 raindog

raindog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 11:41 PM

Here ya go, Bud.
Give it your best!


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
The type of the file system is FAT32.
C: is not dirty.

Fri 07/02/2004
9:42pm up 1 day, 0:33

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINNT\System32\CTLFAI.DLL +++ File read error
\\?\C:\WINNT\System32\CTLFAI.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
CTLFAI.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
ctlfai.dll Sun Jun 27 2004 5:44:52p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\CTLFAI.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group HOME\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Tue Dec 7 1999 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Tue Dec 7 1999 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue Dec 7 1999 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone



»»»»»»Backups created...»»»»»»
9:44pm up 1 day, 0:35
Fri 07/02/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-02-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-02-2004 winkey.reg

»»Performing 16bit string scan....
00001150: ?
00001190: 8 @
000011D0: vk : 0 AppInit_DLLs C : \ W I N N T \ s
00001210:y s t e m 3 2 \ c t l f a i . d l l H vk h 0
00001250:DeviceNotSelectedTimeout 1 5 ` vk '
00001290: , GDIProcessHandleQuota 0 vk 0 Spooler
000012D0: y e s , 0 vk swapdisk vk 0
00001310: M TransmissionRetryTimeout 9 0 ` vk '
00001350: s USERProcessHandleQuotae
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLs
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

kG,cj
e<B6I
Windows
AppInit
DeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuotae

**File C:\FINDnFIX\WIN.TXT
        ŕ˙˙˙Đ 8 € ° ŕ  @ Ř˙˙˙vk : ř   0 AppInit_DLLs


#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 July 2004 - 12:25 AM

Well done!
Your bad file is positively identified on all counts!
This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder!
- Locate the "MOVEit.bat" file, Right-Click
on it,select->edit:
The file will open as text file.
-Copy and paste the entire hilited line in the following quote box
(all one line) into the 'MOVEit' file, replacing it's contents:

move %WinDir%\System32\CTLFAI.DLL %SystemDrive%\junkxxx\CTLFAI.DLL


Be sure to Replace the text in the file with the command above!


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 raindog

raindog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 July 2004 - 02:16 PM

Did as you said. Results are encouraging!

Here is log1.txt:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Fri 12/31/1999
11:24pm up 0 days, 0:02

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
The type of the file system is FAT32.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

C:\WINNT\SYSTEM32\
ctl3dv2.dll Tue Dec 7 1999 12:00:00p A...R 27,200 26.56 K
qdcsinet.dll Fri Feb 1 2002 5:00:00p A...R 94,208 92.00 K
qdcspi.dll Fri Feb 1 2002 5:00:00p A...R 45,056 44.00 K
apitrap.dll Fri Feb 1 2002 5:00:00p A...R 86,016 84.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 252,480 bytes 246.56 K

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\CTL3DV2.DLL
Sniffed -> C:\WINNT\SYSTEM32\QDCSINET.DLL
Sniffed -> C:\WINNT\SYSTEM32\QDCSPI.DLL
Sniffed -> C:\WINNT\SYSTEM32\APITRAP.DLL

»»»*»»» Scanning for moved file... »»»*»»»
* result\\?\C:\junkxxx\CTLFAI.222


C:\JUNKXXX\
ctlfai.222 Sun Jun 27 2004 5:44:52p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\CTLFAI.222

**File C:\JUNKXXX\CTLFAI.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ŕ.

A----- CTLFAI .222 0000E000 17:44.52 27/06/2004

move %WinDir%\System32\CTLFAI.DLL %SystemDrive%\junkxxx\CTLFAI.DLL




--a-- W32i - - - - 57,344 06-27-2004 ctlfai.222
A C:\junkxxx\CTLFAI.222
File: <C:\junkxxx\CTLFAI.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\junkxxx\CTLFAI.222
Directory "C:\junkxxx\."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

Directory "C:\junkxxx\.."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

File "C:\junkxxx\CTLFAI.222"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Notepad check....

C:\WINNT\
notepad.exe Tue Dec 7 1999 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Tue Dec 7 1999 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue Dec 7 1999 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: H x
000011D0: vk 0 DeviceNotSelectedTimeout 1 5 `
00001210: vk ' , GDIProcessHandleQuota 0 vk
00001250: h 0 Spooler y e s , 0 vk
00001290:swapdisk vk M TransmissionRetryTimeout 9 0
000012D0: ` vk ' s USERProcessHandleQuotae vk
00001310: 0 AppInit_DLLs
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLs

---------- NEWWIN.TXT
AppInit_DLLs
**File C:\FINDnFIX\NEWWIN.TXT
swapdiskĐ˙˙˙vk  Č   M TransmissionRetryTimeoutđ˙˙˙9 0  `č Đ˙˙˙vk  €'   s USERProcessHandleQuotae Ř˙˙˙vk  €   0 AppInit_DLLs

**File C:\FINDnFIX\NEWWIN.TXT
00001320: 01 00 00 00 01 00 30 00 . 5F 44 4C 4C 73 0D 00 0A ......0. _DLLs...
**File C:\FINDnFIX\NEWWIN.TXT
swapdiskĐ˙˙˙vk  Č   M TransmissionRetryTimeoutđ˙˙˙9 0  `č Đ˙˙˙vk  €'   s USERProcessHandleQuotae Ř˙˙˙vk  €   0 AppInit_DLLs

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 July 2004 - 01:21 PM

Great progress! :thumbsup:

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete and entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! ;)
=======================================
EDIT:

Did as you said. Results are encouraging!

Here is log1.txt:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Fri 12/31/1999
11:24pm  up 0 days,  0:02

Microsoft Windows 2000 [Version 5.00.2195]

Your computer's date went 'wild' during this process.
Check it up and be sure it's set correctly!

Edited by freeatlast, 04 July 2004 - 01:29 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 raindog

raindog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 05:45 PM

Almost out of the woods.
Spybot keeps reporting 2 DSO Exploits. Forums suggest this may just be a Spybot bug.

I can resaet my homepage and it sticks.
Memory usage is at an acceptable level.

What do you think?

Here's the latest HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 3:36:17 PM, on 7/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Documents and Settings\Kevin Dana\Desktop\HJack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://start.earthlink.net/
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent]

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program

Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program

Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program

Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw -

res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150...ip/RdxIE601.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{BDA22726-93D0-4CB6-85E6-329C51BAF7A8

}: NameServer = 207.217.120.83 207.217.77.82

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 July 2004 - 06:20 PM

Consider that DsoXploit a rather known f/p!

All's well as expected! :thumbsup:

Be sure to keep it that way!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 raindog

raindog

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 07:51 PM

Thanks!
You guys rock!

I'll be snail mailing a check to the site.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button