Jump to content


Photo

About Buster and About:Blank


  • Please log in to reply
17 replies to this topic

#1 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 08 July 2004 - 07:49 AM

I have tried CWS Shredder and About Buster with no success. I just ran About Buster again, and then ran the newest HiJack This. Here is my log. Any help is greatly appreciated. I have read all the advice I can find on this forum and can not seem to shake this one.

Thank you in advance for your help:
[Removed at user's request. Swandog46]

Edited by Swandog46, 12 October 2005 - 09:41 PM.


#2 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 09 July 2004 - 06:10 PM

Anyone? Please help

#3 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 09 July 2004 - 06:17 PM

Reboot into safe mode. Directions on how to. Then run About:Buster two times.

Run Hijack This and tick the boxes next to these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DF34968A-32CB-44D6-9E05-6AA36C1745FD} - C:\WINDOWS\System32\eflf.dll
O18 - Filter: text/html - {35464D52-06E3-4B8C-AF09-A3764F0DD922} - C:\WINDOWS\System32\eflf.dll
O18 - Filter: text/plain - {35464D52-06E3-4B8C-AF09-A3764F0DD922} - C:\WINDOWS\System32\eflf.dll

Then close all windows and hit fix checked. Restart into safe mode and post a new log so that we can remove the rest of the crap.

Edited by RubbeR DuckY, 09 July 2004 - 06:17 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 July 2004 - 06:20 PM

Won't last...

Your variant can't be fixed that way... (it's different)

Details: :whistle:
http://forums.spywar...topic=13943&hl=
http://forums.spywar...topic=14011&hl=

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....

*Note:
Do not attempt any removal steps on your own, but post the log, first!

Edited by freeatlast, 09 July 2004 - 06:23 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 11 July 2004 - 02:06 PM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....

*Note:
Do not attempt any removal steps on your own, but post the log, first!

Here it is, THank you for your help:

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\LOGFPK.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGFPK.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
LOGFPK.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
logfpk.dll Fri Jul 2 2004 11:58:20p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\LOGFPK.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
Æ Access denied ® ..................... LOGFPK.DLL .....57344 02.07.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINDOWS\SYSTEM32\
logfpk.dll Fri Jul 2 2004 11:58:20p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\LOGFPK.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group YOUR-XB2X7J77GN\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Fri Jul 2 2004 11:58:32p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Fri Jul 2 2004 11:58:32p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 07-02-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000


»»»»»»Backups created...»»»»»»
2:04pm up 3 days, 5:45
Sun 07/11/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-09-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-09-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Fri Jul 9 2004 6:09:02p .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: vk > f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ l o g f p k . d l l
000011D0: h vk UDeviceNotSelectedTimeout
00001210: 1 5 ( 9 0 =t vk ' zGDIProce
00001250:ssHandleQuota" vk Spooler2 y e s _
00001290: h 0 ` vk 5swapdisk vk
000012D0: . TransmissionRetryTimeout h 0 `
00001310: vk ' a USERProcessHandleQuota,
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fłAppInit_DLLsÖ?ęGø’’’C
--------------
--------------
C:\WINDOWS\System32\logfpk.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 62 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\logfpk.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 6c 00 6f 00 67 00 66 00 | m.3.2.\.l.o.g.f.
0030 70 00 6b 00 2e 00 64 00 6c 00 6c 00 00 00 | p.k...d.l.l...

#6 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 12 July 2004 - 07:26 AM

Bump for Freeatlast or anyone else that can read FindNFix logs.

#7 drunken_snowman

drunken_snowman

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 12 July 2004 - 08:53 AM

PGPhantom - Deleted incorrect advice.

#8 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 12 July 2004 - 09:08 PM

Hmm, I am a little confused on this. Which program did you use to delete the file and hit f5?

#9 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 13 July 2004 - 06:04 PM

Bump

Help

#10 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 14 July 2004 - 07:00 PM

Bump for Freeatlast

#11 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 15 July 2004 - 08:51 PM

Bump....please.

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 16 July 2004 - 12:15 PM

Please don't bump repeatedly, she is a very busy person. I'll assist until she gets back to you.

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the LOGFPK.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.
Posted Image

#13 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 17 July 2004 - 09:01 AM

[quote name='Daemon' date='Jul 16 2004, 12:15 PM'] Please don't bump repeatedly, she is a very busy person. I'll assist until she gets back to you.

Edited by hcstraub, 12 October 2005 - 10:12 PM.


#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 01:30 PM

Well done :D Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#15 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 17 July 2004 - 02:49 PM

Thank you, everything seemed to go well. I do have one other issue, during my attempt to clean my computer, I deleted "Backweb". Now I get an error when I boot up, "Invalid Backweb App ID 1940576". Is Backweb bad? Can I fix this?


Here is the new HJT log:


[REMOVED AT USER'S REQUEST] Swandog46

Edited by Swandog46, 12 October 2005 - 09:42 PM.


#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 05:07 PM

You don't need backweb. With only HJT running have it fix:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {9F9D2D68-4980-4763-B769-510A30F2C7BC} (SvrWrapperCtl Control) - https://targetreward...rWrapperCtl.cab


Reboot when done - let me know how it's running now.
Posted Image

#17 hcstraub

hcstraub

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 18 July 2004 - 08:50 AM

That all seemed to work great, thank you very much. I am free and clear of About:Blank for 24 hours now! :thumbsup:

I really appreciate the help!

Harry

#18 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 09:57 AM

You're welcome - glad to help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button