Jump to content


Photo

Infected with about:blank


  • Please log in to reply
7 replies to this topic

#1 hermantoro

hermantoro

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 08:53 PM

Thanks for reading this post. I am infected with about:blank. I tried to follow instructions given to others but it did not work. Can someone please look at my findnfix.exe log.bat file and give me instructions on how to remove the spyware. Thanks in advance!


Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
5.50.4807.2300 SP2
The type of the file system is FAT32.
C: is not dirty.

Sat 07/10/2004
7:39pm up 0 days, 10:21

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group NIELSEN-67FC94D\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-26-2000 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000


»»»»»»Backups created...»»»»»»
7:41pm up 0 days, 10:23
Sat 07/10/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-10-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-10-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Sat Jul 10 2004 7:39:44p .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: O N H x S I
000011D0: vk , DeviceNotSelectedTimeout 1 5
00001210:p vk ' , GDIProcessHandleQuota , vk
00001250: h , Spooler y e s 0 , vk ,
00001290:swapdisk vk 0 TransmissionRetryTimeout 9 0
000012D0: vk ' , USERProcessHandleQuota,
00001310:yOperation: '%c' APerformArithmeticOperation: '%c' % u
00001350: % 0 1 C % 0 8 X / Y \ X C O P Y . E X E C O
00001390:P Y C M D gt Jwt J. * " c m d S o f t w a
000013D0:r e \ C l a s s e s D JT J% s \ S h e l l \ O p e n \
00001410:C o m m a n d * * * n o o p e n c o m m a n d d e f i
00001450:n e d * * * \ S h e l l \ O p e n \ C o m m a n d NtQueryI
00001490:nformationProcess N T D L L . D L L / - Y % 9 d % c
000014D0:% s : \ ^C SetConsoleInputExeNameW IsDebuggerPresent
00001510:CopyFileExW K E R N E L 3 2 . D L L A u t o R u n P a t h
00001550:C o m p l e t i o n C h a r C o m p l e t i o n C h a r
00001590:D e f a u l t C o l o r D e l a y e d E x p a n s i o n
000015D0:E n a b l e E x t e n s i o n s D i s a b l e

---------- WIN.TXT
--------------
--------------
\XCOPY.EXE
Software\Classes
%s\Shell\Open\Command
*** no open command defined ***
\Shell\Open\Command
NTDLL.DLL
WKERNEL32.DLL
PathCompletionChar
CompletionChar
DefaultColor
DelayedExpansion
EnableExtensions
DisableUNCCheck
Software\Microsoft\Command Processor
%d.%02d.%04d
Ungetting: '%s'
0123456789
/D /c"
DisableCMD
Software\Policies\Microsoft\Windows\System
Application
Args: `%s'
Cmd: %s Type: %x
*** Unknown type: %x
%s (%s) %s
GeToken: (%x) '%s'
<noalias>
????????.???
BELOWNORMAL
ABOVENORMAL
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!


#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 10 July 2004 - 09:03 PM

I am infected with about:blank. I tried to follow instructions given to others but it did not work.

Microsoft Windows 2000 [Version 5.00.2195]

What did you try, exactly? :scratchhead:
Your log has no indication. But you filtered* it for some reason.

Post hijackthis log,
and the contents of the header above your windows version as quoted in C:\FINDnFIX\log.txt.

In a quick aftermath thought, that won't be necessary.
I can't and won't help version(s) such as yours:

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
5.50.4807.2300 SP2 :whistle:

SP2 for 2K is no longer supported along with IE5 that has been discontinued over 5 yrs or so...

Delete the entire C:\FINDnFIX\ folder(s), Go to Windows updates (link(s) bellow,
\Scan and apply all security updates on offer, including but not mited to IE6/SP1
And SP4 for Win2K.

When you have done that, post hijackthis log, only!

Edited by freeatlast, 10 July 2004 - 09:09 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 hermantoro

hermantoro

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 09:11 PM

I have tried to fix the problem unsuccessfully by deleting files taskmgn.exe and telnetxp.exe. Sorry for filtering the findnfix log.bat file, I thought it was not neccesary. Here is the unfiltered file


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
Due to errors on various message boards I made some changes.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
If you make a mistake or use the wrong guidance, it is completely
your responsibility and the helper that assists you.
If you are not sure about the nature of the file or how
to proceed, I suggest you research it first before attempting
to remove any *unknown file on your own.
*For Helpers and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
5.50.4807.2300 SP2
The type of the file system is FAT32.
C: is not dirty.

Sat 07/10/2004
7:39pm up 0 days, 10:21

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group NIELSEN-67FC94D\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Wed Jul 26 2000 12:00:00p A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-26-2000 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000


»»»»»»Backups created...»»»»»»
7:41pm up 0 days, 10:23
Sat 07/10/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-10-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-10-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Sat Jul 10 2004 7:39:44p .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: O N H x S I
000011D0: vk , DeviceNotSelectedTimeout 1 5
00001210:p vk ' , GDIProcessHandleQuota , vk
00001250: h , Spooler y e s 0 , vk ,
00001290:swapdisk vk 0 TransmissionRetryTimeout 9 0
000012D0: vk ' , USERProcessHandleQuota,
00001310:yOperation: '%c' APerformArithmeticOperation: '%c' % u
00001350: % 0 1 C % 0 8 X / Y \ X C O P Y . E X E C O
00001390:P Y C M D gt Jwt J. * " c m d S o f t w a
000013D0:r e \ C l a s s e s D JT J% s \ S h e l l \ O p e n \
00001410:C o m m a n d * * * n o o p e n c o m m a n d d e f i
00001450:n e d * * * \ S h e l l \ O p e n \ C o m m a n d NtQueryI
00001490:nformationProcess N T D L L . D L L / - Y % 9 d % c
000014D0:% s : \ ^C SetConsoleInputExeNameW IsDebuggerPresent
00001510:CopyFileExW K E R N E L 3 2 . D L L A u t o R u n P a t h
00001550:C o m p l e t i o n C h a r C o m p l e t i o n C h a r
00001590:D e f a u l t C o l o r D e l a y e d E x p a n s i o n
000015D0:E n a b l e E x t e n s i o n s D i s a b l e

---------- WIN.TXT
--------------
--------------
\XCOPY.EXE
Software\Classes
%s\Shell\Open\Command
*** no open command defined ***
\Shell\Open\Command
NTDLL.DLL
WKERNEL32.DLL
PathCompletionChar
CompletionChar
DefaultColor
DelayedExpansion
EnableExtensions
DisableUNCCheck
Software\Microsoft\Command Processor
%d.%02d.%04d
Ungetting: '%s'
0123456789
/D /c"
DisableCMD
Software\Policies\Microsoft\Windows\System
Application
Args: `%s'
Cmd: %s Type: %x
*** Unknown type: %x
%s (%s) %s
GeToken: (%x) '%s'
<noalias>
????????.???
BELOWNORMAL
ABOVENORMAL
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!


#4 hermantoro

hermantoro

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 09:13 PM

Here is the hijackthis.log

Logfile of HijackThis v1.98.0
Scan saved at 8:07:12 PM, on 7/10/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\1598_Fiberlink\Fgrd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Cisco systems\VPN Client\vpngui.exe
C:\Program Files\Cisco systems\VPN Client\ipseclog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\taskmgn.exe
C:\Documents and Settings\ToroHA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.nielsenmedia.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5E8CBDDC-9653-4DFC-8982-62FF3ED6A700} - C:\WINNT\system32\mfplay.dll
O2 - BHO: (no name) - {85CBFDE0-B26B-4EE5-BD3C-4DE111DE763E} - C:\WINNT\system32\winnet.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\vpngui.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: paldpack - http://tag/PAWeb/paldpack/paldpack.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.....chm::/load.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://66.230.167.18....chm::/cool.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...ad/IbmEgath.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F44A34-34D7-49EC-AE43-EBC569A76546}: Domain = nieslenmedia.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B86761B5-066B-4CCD-890F-9F65DDF69504}: NameServer = 10.9.42.31,10.9.42.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org
O18 - Filter: text/html - {B502DB0E-5148-4862-8527-48EDDAEEBE86} - C:\WINNT\system32\mfplay.dll
O18 - Filter: text/plain - {B502DB0E-5148-4862-8527-48EDDAEEBE86} - C:\WINNT\system32\mfplay.dll

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 10 July 2004 - 09:32 PM

First, can you locate these files as that is the latest variant:

WINNT\system32\"mfplay.dll"< And "winnet.dll" <
Zip them up and Submit
by clicking on the "Submit" tab in my signature.


Restart you computer in safe mode, first--find and delete:
In: -System32\-mfplay.dll-winnet.dll files
In WINNT\image.dll file.

Re-run hijackthis and fix checked:

*All R1/R0 lines, containning (HomeOldSP) (mfplay.dll)
*O2 - BHO: that contain (mfplay.dll, winnet.dll)
*O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
*O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install
*O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.....chm::/load.exe
*O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://66.230.167.18....chm::/cool.exe
*O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
*O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


When done, repeat these steps, before posting any other log(s)

]
(hermantoro Posted on Jul 10 2004 @ 08:53 PM)

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
5.50.4807.2300 SP2 

.....................................

Delete the entire C:\FINDnFIX\ folder(s),
Go to Windows updates (link(s) bellow,
\Scan and apply all security updates on offer, including but not limited to
IE6/SP1
And SP4 for Win2K.

When you have done that, post hijackthis log, only!


Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 10 July 2004 - 10:36 PM

Whooops, both O18 - Filter lines should be fixed as well.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 hermantoro

hermantoro

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 July 2004 - 11:13 PM

I completed all of the steps you requested. The one file I could not find and delete was WINNT\image.dll. At startup I still get an error message saying that WINNT\image.dll module cant be found. Here is my latest hijackthis log. Can you do me a favor and delete this post after we complete cleaning my computer. Thank you very much!


Logfile of HijackThis v1.98.0
Scan saved at 10:08:23 PM, on 7/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\1598_Fiberlink\Fgrd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ToroHA\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spywareinfo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.nielsenmedia.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: paldpack - http://tag/PAWeb/paldpack/paldpack.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.co...ad/IbmEgath.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F44A34-34D7-49EC-AE43-EBC569A76546}: Domain = nieslenmedia.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B86761B5-066B-4CCD-890F-9F65DDF69504}: NameServer = 10.9.42.31,10.9.42.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B356E24-8556-4B0B-8D32-3601411C5213}: NameServer = 206.141.192.60,206.141.193.55
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nielsenmedia.com,nmrlan.net,vnuusa.org,securityroot.net,enterprisenet.org

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 11 July 2004 - 01:20 AM

W0w! You did great!

As for the error message, it must be the
startup left behind after the file is gone.

First run any and all removal tools such as

CWShredder.exe and fully updated Ad-Aware!

If you still have the error message, that means one of those is left behind:

*O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
*O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install

They are not on your log anymore, but hijackthis doesn't
always show everything.. :scratchhead:

As you can probably guess, these
entries are the ones that start with your computer. :D
You will need to locate them in the registry from:
Start/run/regedit

Expand this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
And any subfolder under it starting with "run..."
And inspect the values on the right pane.
If ref is found to "image.dll", RightClick and delete it!

Repeat the same procedure in this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Alternatively you can always use the registry
search function for "image.dll" and try to find the cuplrit.

Post back details...
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button