• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
hermantoro

Infected with about:blank

8 posts in this topic

Thanks for reading this post. I am infected with about:blank. I tried to follow instructions given to others but it did not work. Can someone please look at my findnfix.exe log.bat file and give me instructions on how to remove the spyware. Thanks in advance!

 

 

Microsoft Windows 2000 [Version 5.00.2195]

»»»IE build and last SP(s)

5.50.4807.2300 SP2

The type of the file system is FAT32.

C: is not dirty.

 

Sat 07/10/2004

7:39pm up 0 days, 10:21

 

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(*5*)»»»»»

**File C:\WINNT\SYSTEM32\DLLXXX.TXT

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group NIELSEN-67FC94D\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

User is a member of group \LOCAL.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINNT\

notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINNT\SYSTEM32\

notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINNT\SYSTEM32\DLLCACHE\

notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

--a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-26-2000 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows ® 2000 Operating System

ProductVersion 5.00.2140.1

FileVersion 5.00.2140.1

LegalCopyright Copyright © Microsoft Corp. 1981-1999

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050000:085c0001 (5.0:2140.1)

ProdVer: 00050000:085c0001 (5.0:2140.1)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

 

»»»»»»Backups created...»»»»»»

7:41pm up 0 days, 10:23

Sat 07/10/2004

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-10-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 07-10-2004 winkey.reg

 

C:\FINDNFIX\

JUNKXXX Sat Jul 10 2004 7:39:44p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: ?

00001190: O N H x S I

000011D0: vk , DeviceNotSelectedTimeout 1 5

00001210:p vk ' , GDIProcessHandleQuota , vk

00001250: h , Spooler y e s 0 , vk ,

00001290:swapdisk vk 0 TransmissionRetryTimeout 9 0

000012D0: vk ' , USERProcessHandleQuota,

00001310:yOperation: '%c' APerformArithmeticOperation: '%c' % u

00001350: % 0 1 C % 0 8 X / Y \ X C O P Y . E X E C O

00001390:P Y C M D gt Jwt J. * " c m d S o f t w a

000013D0:r e \ C l a s s e s D JT J% s \ S h e l l \ O p e n \

00001410:C o m m a n d * * * n o o p e n c o m m a n d d e f i

00001450:n e d * * * \ S h e l l \ O p e n \ C o m m a n d NtQueryI

00001490:nformationProcess N T D L L . D L L / - Y % 9 d % c

000014D0:% s : \ ^C SetConsoleInputExeNameW IsDebuggerPresent

00001510:CopyFileExW K E R N E L 3 2 . D L L A u t o R u n P a t h

00001550:C o m p l e t i o n C h a r C o m p l e t i o n C h a r

00001590:D e f a u l t C o l o r D e l a y e d E x p a n s i o n

000015D0:E n a b l e E x t e n s i o n s D i s a b l e

 

---------- WIN.TXT

--------------

--------------

\XCOPY.EXE

Software\Classes

%s\Shell\Open\Command

*** no open command defined ***

\Shell\Open\Command

NTDLL.DLL

WKERNEL32.DLL

PathCompletionChar

CompletionChar

DefaultColor

DelayedExpansion

EnableExtensions

DisableUNCCheck

Software\Microsoft\Command Processor

%d.%02d.%04d

Ungetting: '%s'

0123456789

/D /c"

DisableCMD

Software\Policies\Microsoft\Windows\System

Application

Args: `%s'

Cmd: %s Type: %x

*** Unknown type: %x

%s (%s) %s

GeToken: (%x) '%s'

<noalias>

????????.???

BELOWNORMAL

ABOVENORMAL

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value entry was NOT found!

Share this post


Link to post
Share on other sites
I am infected with about:blank. I tried to follow instructions given to others but it did not work.

 

Microsoft Windows 2000 [Version 5.00.2195]

What did you try, exactly? :scratchhead:

Your log has no indication. But you filtered* it for some reason.

 

Post hijackthis log,

and the contents of the header above your windows version as quoted in C:\FINDnFIX\log.txt.

 

In a quick aftermath thought, that won't be necessary.

I can't and won't help version(s) such as yours:

Microsoft Windows 2000 [Version 5.00.2195]

»»»IE build and last SP(s)

5.50.4807.2300 SP2 :whistle:

SP2 for 2K is no longer supported along with IE5 that has been discontinued over 5 yrs or so...

 

Delete the entire C:\FINDnFIX\ folder(s), Go to Windows updates (link(s) bellow,

\Scan and apply all security updates on offer, including but not mited to IE6/SP1

And SP4 for Win2K.

 

When you have done that, post hijackthis log, only!

Edited by freeatlast

Share this post


Link to post
Share on other sites

I have tried to fix the problem unsuccessfully by deleting files taskmgn.exe and telnetxp.exe. Sorry for filtering the findnfix log.bat file, I thought it was not neccesary. Here is the unfiltered file

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»

Due to errors on various message boards I made some changes.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

If you make a mistake or use the wrong guidance, it is completely

your responsibility and the helper that assists you.

If you are not sure about the nature of the file or how

to proceed, I suggest you research it first before attempting

to remove any *unknown file on your own.

*For Helpers and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows 2000 [Version 5.00.2195]

»»»IE build and last SP(s)

5.50.4807.2300 SP2

The type of the file system is FAT32.

C: is not dirty.

 

Sat 07/10/2004

7:39pm up 0 days, 10:21

 

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(*5*)»»»»»

**File C:\WINNT\SYSTEM32\DLLXXX.TXT

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group NIELSEN-67FC94D\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

User is a member of group \LOCAL.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINNT\

notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINNT\SYSTEM32\

notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

 

C:\WINNT\SYSTEM32\DLLCACHE\

notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 50,960 bytes 49.77 K

--a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-26-2000 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows ® 2000 Operating System

ProductVersion 5.00.2140.1

FileVersion 5.00.2140.1

LegalCopyright Copyright © Microsoft Corp. 1981-1999

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050000:085c0001 (5.0:2140.1)

ProdVer: 00050000:085c0001 (5.0:2140.1)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

 

»»»»»»Backups created...»»»»»»

7:41pm up 0 days, 10:23

Sat 07/10/2004

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-10-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 07-10-2004 winkey.reg

 

C:\FINDNFIX\

JUNKXXX Sat Jul 10 2004 7:39:44p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: ?

00001190: O N H x S I

000011D0: vk , DeviceNotSelectedTimeout 1 5

00001210:p vk ' , GDIProcessHandleQuota , vk

00001250: h , Spooler y e s 0 , vk ,

00001290:swapdisk vk 0 TransmissionRetryTimeout 9 0

000012D0: vk ' , USERProcessHandleQuota,

00001310:yOperation: '%c' APerformArithmeticOperation: '%c' % u

00001350: % 0 1 C % 0 8 X / Y \ X C O P Y . E X E C O

00001390:P Y C M D gt Jwt J. * " c m d S o f t w a

000013D0:r e \ C l a s s e s D JT J% s \ S h e l l \ O p e n \

00001410:C o m m a n d * * * n o o p e n c o m m a n d d e f i

00001450:n e d * * * \ S h e l l \ O p e n \ C o m m a n d NtQueryI

00001490:nformationProcess N T D L L . D L L / - Y % 9 d % c

000014D0:% s : \ ^C SetConsoleInputExeNameW IsDebuggerPresent

00001510:CopyFileExW K E R N E L 3 2 . D L L A u t o R u n P a t h

00001550:C o m p l e t i o n C h a r C o m p l e t i o n C h a r

00001590:D e f a u l t C o l o r D e l a y e d E x p a n s i o n

000015D0:E n a b l e E x t e n s i o n s D i s a b l e

 

---------- WIN.TXT

--------------

--------------

\XCOPY.EXE

Software\Classes

%s\Shell\Open\Command

*** no open command defined ***

\Shell\Open\Command

NTDLL.DLL

WKERNEL32.DLL

PathCompletionChar

CompletionChar

DefaultColor

DelayedExpansion

EnableExtensions

DisableUNCCheck

Software\Microsoft\Command Processor

%d.%02d.%04d

Ungetting: '%s'

0123456789

/D /c"

DisableCMD

Software\Policies\Microsoft\Windows\System

Application

Args: `%s'

Cmd: %s Type: %x

*** Unknown type: %x

%s (%s) %s

GeToken: (%x) '%s'

<noalias>

????????.???

BELOWNORMAL

ABOVENORMAL

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value entry was NOT found!

Share this post


Link to post
Share on other sites

Here is the hijackthis.log

 

Logfile of HijackThis v1.98.0

Scan saved at 8:07:12 PM, on 7/10/2004

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\Program Files\Cisco systems\VPN Client\cvpnd.exe

C:\Program Files\1598_Fiberlink\Fgrd.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4mon.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\system32\RunDll32.exe

C:\WINNT\system32\ltmsg.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

C:\Program Files\Cisco systems\VPN Client\vpngui.exe

C:\Program Files\Cisco systems\VPN Client\ipseclog.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\taskmgn.exe

C:\Documents and Settings\ToroHA\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.nielsenmedia.com:80

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5E8CBDDC-9653-4DFC-8982-62FF3ED6A700} - C:\WINNT\system32\mfplay.dll

O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINNT\system32\winnet.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [image] rundll32 C:\WINNT\image.dll,Install

O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINNT\image.dll,Install

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\vpngui.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: paldpack - http://tag/PAWeb/paldpack/paldpack.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://66.230.167.185/z/aw/chm/cool.chm::/cool.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1990b1125eb627...ip/RdxIE601.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdc...ad/IbmEgath.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55

O17 - HKLM\System\CCS\Services\Tcpip\..\{66F44A34-34D7-49EC-AE43-EBC569A76546}: Domain = nieslenmedia.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B86761B5-066B-4CCD-890F-9F65DDF69504}: NameServer = 10.9.42.31,10.9.42.130

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

O17 - HKLM\System\CS1\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

O17 - HKLM\System\CS2\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

O18 - Filter: text/html - {B502DB0E-5148-4862-8527-48EDDAEEBE86} - C:\WINNT\system32\mfplay.dll

O18 - Filter: text/plain - {B502DB0E-5148-4862-8527-48EDDAEEBE86} - C:\WINNT\system32\mfplay.dll

Share this post


Link to post
Share on other sites

First, can you locate these files as that is the latest variant:

 

WINNT\system32\"mfplay.dll"< And "winnet.dll" <

Zip them up and Submit

by clicking on the "Submit" tab in my signature.

 

 

Restart you computer in safe mode, first--find and delete:

In: -System32\-mfplay.dll-winnet.dll files

In WINNT\image.dll file.

 

Re-run hijackthis and fix checked:

*All R1/R0 lines, containning (HomeOldSP) (mfplay.dll)

*O2 - BHO: that contain (mfplay.dll, winnet.dll)

*O4 - HKLM\..\Run: [image] rundll32 C:\WINNT\image.dll,Install

*O4 - HKCU\..\RunServices: [image] rundll32 C:\WINNT\image.dll,Install

*O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe

*O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://66.230.167.185/z/aw/chm/cool.chm::/cool.exe

*O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

*O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1990b1125eb627...ip/RdxIE601.cab

 

When done, repeat these steps, before posting any other log(s)

 

]

(hermantoro Posted on Jul 10 2004 @ 08:53 PM)

 

Microsoft Windows 2000 [Version 5.00.2195]

»»»IE build and last SP(s)

5.50.4807.2300 SP2 

 

.....................................

 

Delete the entire C:\FINDnFIX\ folder(s),

Go to Windows updates (link(s) bellow,

\Scan and apply all security updates on offer, including but not limited to

IE6/SP1

And SP4 for Win2K.

 

When you have done that, post hijackthis log, only!

Share this post


Link to post
Share on other sites

I completed all of the steps you requested. The one file I could not find and delete was WINNT\image.dll. At startup I still get an error message saying that WINNT\image.dll module cant be found. Here is my latest hijackthis log. Can you do me a favor and delete this post after we complete cleaning my computer. Thank you very much!

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:08:23 PM, on 7/10/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\avsynmgr.exe

C:\Program Files\Cisco systems\VPN Client\cvpnd.exe

C:\Program Files\1598_Fiberlink\Fgrd.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Network Associates\VirusScan\Webscanx.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4mon.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\system32\RunDll32.exe

C:\WINNT\system32\ltmsg.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\ToroHA\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spywareinfo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.nielsenmedia.com:80

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\vpngui.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: paldpack - http://tag/PAWeb/paldpack/paldpack.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdc...ad/IbmEgath.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55

O17 - HKLM\System\CCS\Services\Tcpip\..\{66F44A34-34D7-49EC-AE43-EBC569A76546}: Domain = nieslenmedia.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{B86761B5-066B-4CCD-890F-9F65DDF69504}: NameServer = 10.9.42.31,10.9.42.130

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

O17 - HKLM\System\CS1\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

O17 - HKLM\System\CS2\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

Share this post


Link to post
Share on other sites

W0w! You did great!

 

As for the error message, it must be the

startup left behind after the file is gone.

 

First run any and all removal tools such as

 

CWShredder.exe and fully updated Ad-Aware!

 

If you still have the error message, that means one of those is left behind:

 

*O4 - HKLM\..\Run: [image] rundll32 C:\WINNT\image.dll,Install

*O4 - HKCU\..\RunServices: [image] rundll32 C:\WINNT\image.dll,Install

 

They are not on your log anymore, but hijackthis doesn't

always show everything.. :scratchhead:

 

As you can probably guess, these

entries are the ones that start with your computer. :D

You will need to locate them in the registry from:

Start/run/regedit

 

Expand this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

And any subfolder under it starting with "run..."

And inspect the values on the right pane.

If ref is found to "image.dll", RightClick and delete it!

 

Repeat the same procedure in this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

Alternatively you can always use the registry

search function for "image.dll" and try to find the cuplrit.

 

Post back details...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0