Jump to content


Photo

About:Buster Temporarily Worked, Popups remain


  • This topic is locked This topic is locked
11 replies to this topic

#1 GroundControl

GroundControl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 04:35 AM

I've always depended on the kindness of strangers..

I've visited the FAQ page.

I've ran updated versions of Ad-Aware (log file included) and Spy-Bot where no immediate threats were found.

I've ran HijackThis. Log file included.

I also ran About:Buster in safe mode and had my homepage back for the next time I opened IE but About:Blank returned the second time I opened IE and continues to return. (About:Buster log file included)

Popups still come up with the titles; "Welcome to the System Performance Wizard - Microsoft Internet Explorer", "Ad-ware, Spyware, Pop-ups - They Invade your privacy and harm your PC - Microsoft Internet Explorer", "Spyware Removal - Microsoft Internet Explorer", or "Warning - Microsoft Internet Explorer."

The same pop-ups also appear after I sign into AIM.


Well anywho, About:Blank is bigger than I thought. Hopefully through feedback and development we will be able to kill it off and prevent it from happening in the future.

Thanks to anyone who takes a look at this.

Here are the logs;

AD-AWARE LOG

Lavasoft Ad-aware Plus Build 6.181
Logfile created on :Saturday, July 17, 2004 2:56:21 AM
Using reference-file :01R331 08.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R331 08.07.2004
Internal build : 263
File location : C:\Program Files\Ad-aware 6\reflist.ref
Total size : 1300142 Bytes
Signature data size : 1279388 Bytes
Reference data size : 20690 Bytes
Signatures total : 28395
Target categories : 10
Target families : 519

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium II
Memory available:36 %
Total physical memory:261684 kb
Available physical memory:92864 kb
Total page file size:1027040 kb
Available on page file:792388 kb
Total virtual memory:2097024 kb
Available virtual memory:2049692 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically mark all objects in result list
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block Popups and banned sites
Set : Automatically pop up event log if event occours
Set : Show splash screen
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-17-2004 2:56:21 AM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-17-2004 7:10:29 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:31 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:33 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:33 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:37 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 7:10:38 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:47 AM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 7.4
ProductVersion : 7.4
Copyright : © 1993 - 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 10/14/2002 8:03:18 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 10/14/2002 8:03:18 PM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:47 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 7:10:47 AM
BasePriority : Normal
FileSize : 170 KB
FileVersion : 7.4
ProductVersion : 7.4
Copyright : © 1993 - 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 10/14/2002 8:00:41 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 10/14/2002 8:00:41 PM

#:10 [atievxx.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 7:10:51 AM
BasePriority : Normal
FileSize : 36 KB
FileVersion : 5.1.2482.0 (Lab01_N(ericks).010524-2202)
ProductVersion : 5.1.2482.0
CompanyName : Microsoft Corporation
FileDescription : ATI Hotkey polling utility
InternalName : atievxx.exe
OriginalFilename : atievxx.exe
ProductName : Microsoft
Created on : 5/6/2004 2:28:41 AM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/17/2001 10:36:38 PM

#:11 [defwatch.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ThreadCreationTime : 7-17-2004 7:10:52 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
OriginalFilename : DefWatch.exe
ProductName : Norton AntiVirus
Created on : 7/30/2002 4:36:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 7/30/2002 4:36:00 PM

#:12 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 7-17-2004 7:10:53 AM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 6/20/2003 4:25:00 AM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 6/20/2003 4:25:00 AM

#:13 [rtvscan.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ThreadCreationTime : 7-17-2004 7:10:54 AM
BasePriority : Normal
FileSize : 560 KB
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
Copyright : Copyright © Symantec Corporation 1991-2002
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
ProductName : Symantec AntiVirus
Created on : 7/30/2002 4:40:44 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 7/30/2002 4:40:44 PM

#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 7:10:59 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-17-2004 7:11:04 AM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:11:09 AM
Last modified : 8/23/2001 12:00:00 PM

#:16 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ThreadCreationTime : 7-17-2004 7:11:14 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
Copyright : Copyright © Symantec Corporation 1991-2002
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
ProductName : Symantec AntiVirus
Created on : 7/30/2002 4:35:04 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 7/30/2002 4:35:04 PM

#:17 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ThreadCreationTime : 7-17-2004 7:11:14 AM
BasePriority : Normal
FileSize : 280 KB
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
OriginalFilename : iTunesHelper.exe
ProductName : iTunes
Created on : 4/21/2004 4:28:18 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 4/21/2004 4:28:18 PM

#:18 [lxbbbmgr.exe]
FilePath : C:\Program Files\Lexmark X74-X75\
ThreadCreationTime : 7-17-2004 7:11:14 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 1.0.6.0
ProductVersion : 1.0.6.0
Copyright : © 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X74-X75 Button Manager
InternalName : lxbbbmgr.exe
OriginalFilename : lxbbbmgr.exe
ProductName : Button Manager Executable
Created on : 10/14/2002 8:09:12 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 10/14/2002 8:09:12 PM

#:19 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 7:11:15 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 8/23/2001 12:00:00 PM

#:20 [lxbbbmon.exe]
FilePath : C:\Program Files\Lexmark X74-X75\
ThreadCreationTime : 7-17-2004 7:11:25 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1.0.6.0
ProductVersion : 1.0.6.0
Copyright : © 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X74-X75 Button Monitor
InternalName : lxbbbmon.exe
OriginalFilename : lxbbbmon.exe
ProductName : Button Monitor Executable
Created on : 10/14/2002 8:22:04 PM
Last accessed : 7/17/2004 7:10:27 AM
Last modified : 10/14/2002 8:22:04 PM

#:21 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ThreadCreationTime : 7-17-2004 7:11:39 AM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
OriginalFilename : iPodService.exe
ProductName : iTunes
Created on : 4/21/2004 4:28:04 PM
Last accessed : 7/17/2004 7:07:37 AM
Last modified : 4/21/2004 4:28:04 PM

#:22 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 7-17-2004 7:13:39 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 5/6/2004 7:40:07 AM
Last accessed : 7/17/2004 7:13:42 AM
Last modified : 8/23/2001 12:00:00 PM

#:23 [ad-aware.exe]
FilePath : C:\Program Files\Ad-aware 6\
ThreadCreationTime : 7-17-2004 7:52:09 AM
BasePriority : Normal
FileSize : 671 KB
FileVersion : 6.0.1.182
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6/30/2004 8:31:51 PM
Last accessed : 7/17/2004 7:52:09 AM
Last modified : 7/13/2003 3:01:14 AM

Memory scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData

Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html"


Deep registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 8
Objects found so far: 8


Deep scanning and examining files (A:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk scan result for A:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 8


Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk scan result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 8


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk scan result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 8


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk scan result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 8


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New objects :0
Objects found so far: 8




Performing conditional scans..
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 8


3:20:12 AM Scan complete

Summary of this scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time :00:23:49:696
Objects scanned :95450
Objects identified :8
Objects ignored :0
New objects :8


HIJACKTHIS LOG

Logfile of HijackThis v1.97.7
Scan saved at 1:22:33 AM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aut Phanthavong\My Documents\Download Installation Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AUTPHA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {38E38CFD-D89E-482E-B400-D7E4B360E4F4} - C:\WINDOWS\System32\gfbmm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB9AAC2-52F6-46D6-B968-3A24B00FABBE}: NameServer = 129.74.250.100 129.74.4.18


ABOUT:BUSTER LOG

-- Scan 1 --------
About:Buster Version 1.30
Attempted Clean Of Temp folder.
Pages Reset... Done!

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 05:20 AM

To anyone other than the originator of this topic: do not copy this thread and try to fix your system or anyone elses by following it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 GroundControl

GroundControl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 01:05 PM

Thank you Daemon for responding.

Here are the contents of the FINDnFix.exe logfile;


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

Sat 17 Jul 04 12:50:29
12:50am up 0 days, 0:23

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*modified 7/16)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Boards that are not personally authorised by me are not allowed to use this fix!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\RESBA.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESBA.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
RESBA.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
resba.dll Fri Jun 25 2004 9:40:50p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\RESBA.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... RESBA.DLL .....57344 25.06.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\RESBA.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
resba.dll Fri Jun 25 2004 9:40:50p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\RESBA.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group BPHANTHA\None.
User is a member of group \Everyone.
User is a member of group BPHANTHA\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
12:52am up 0 days, 0:25
Sat 17 Jul 04 12:52:52

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-17-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-17-2004 winkey.reg
*Temp backups...
A----- KEYBACK2.HIV 00002000 12:50.22 17/07/2004
A----- WINKEY2 .REG 0000011F 12:50.24 17/07/2004

C:\FINDNFIX\
JUNKXXX Sat Jul 17 2004 12:50:20p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: ?
00001190: vk < f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ r e s b a .
00001210:d l l vk P UDeviceNotSelectedTimeout
00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' , USERProcessHandleQuota, x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG└   C
--------------
--------------
$011C8: AppInit_DLLs
$01237: UDeviceNotSelectedTimeout
$01287: zGDIProcessHandleQuota
$01320: TransmissionRetryTimeout
$01370: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\resba.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\resba.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 72 00 65 00 73 00 62 00 | m.3.2.\.r.e.s.b.
0030 61 00 2e 00 64 00 6c 00 6c 00 00 00 | a...d.l.l...


#4 oshmir

oshmir

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 17 July 2004 - 01:20 PM

It seems I have the same problem. About:Buster temporarily fixes it, but when I go into IE a second time it's back to the about:blank page again. Should I install FindNFix.exe and create a new thread with the log in it?

Edited by oshmir, 17 July 2004 - 01:21 PM.


#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 01:27 PM

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the RESBA.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

oshmir: start a new topic with a HJT log and send me a link.
Posted Image

#6 GroundControl

GroundControl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 02:43 PM

Log2.txt



╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Sat 17 Jul 04 14:36:50
2:36pm up 0 days, 0:03

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or the right file was selected.

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

\\?\C:\FINDnFIX\junkxxx\RESBA.222 +++ File read error
C:\FINDnFIX\junkxxx\RESBA.222 +++ File read error


C:\FINDNFIX\JUNKXXX\
resba.222 Fri Jun 25 2004 9:40:50p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\RESBA.222

fgrep: can't open input C:\FINDNFIX\JUNKXXX\RESBA.222

A----R RESBA .222 0000E000 21:40.50 25/06/2004

-ra-- - - - - - 57,344 06-25-2004 resba.222
A R C:\FINDnFIX\junkxxx\resba.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________C:\FINDnFIX\junkxxx\RESBA.222 can't be opened.

File: <C:\FINDnFIX\junkxxx\resba.222>




╗╗Permissions:
C:\FINDnFIX\junkxxx\resba.222
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BPHANTHA\Aut Phanthavong
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BPHANTHA\Aut Phanthavong

Primary Group: BPHANTHA\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BPHANTHA\Aut Phanthavong
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BPHANTHA\Aut Phanthavong

Primary Group: BPHANTHA\None

File "C:\FINDnFIX\junkxxx\resba.222"
Access is denied.

erreur dans ListAccessRights sur C:\FINDnFIX\junkxxx\resba.222

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' , USERProcessHandleQuota, 8
00001310:h vk y AppInit_DLLsecte
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLsecteŞ
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuota
$01338: AppInit_DLLsecte
--------------
--------------
No strings found.


d.... 0 Jul 17 12:50 .
d.... 0 Jul 17 12:50 ..
...ra 57344 Jun 25 21:40 resba.222

3 files found occupying 55296 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX


===============================================================================
57,344 bytes 955,733 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.06

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-17-:4 12:50|RESBA 222 57344 A R 06-25-:4 21:40
.. <dir> 07-17-:4 12:50|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label


#7 oshmir

oshmir

    Member

  • Full Member
  • Pip
  • 47 posts

Posted 17 July 2004 - 03:09 PM

oshmir: start a new topic with a HJT log and send me a link.

Actually 808Chick has been helping me out with my log, but unfortunately it doesn't really seem to be doing much. link

edit: Well nevermind. It appears she has fixed my homepage problem.

Edited by oshmir, 17 July 2004 - 03:21 PM.


#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 17 July 2004 - 05:00 PM

Well done GroundControl :D Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#9 GroundControl

GroundControl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 01:05 PM

Thank you for helping me Daemon, you are quite the blessing.

A few updates, I opened the ZIPZAP.bat file, I've emailed the junkxxx.zip file, and I've ran CWShredder, but I could not delete the entire FINDnFIX folder.

The message "Cannot delete resba.333 : Access is denied Make sure the disk is not full or write-protected and that the file is not currently in use" appears when I try to delete the FINDnFIX folder.

Also, when I open IE my homepage's URL is still "about:blank" but the page is actually blank now instead of a random search page.

On a good note, the pop ups are gone!

And here is the HijackThis log you requested;


Logfile of HijackThis v1.97.7
Scan saved at 12:41:51 PM, on 7/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Aut Phanthavong\My Documents\Download Installation Files\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab

Edited by GroundControl, 18 July 2004 - 01:08 PM.


#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 01:31 PM

You need to restart in Safe mode in order to have access to the security tab on files and folders in "XP HOME EDITION"

How to take ownership of a file or folder in Windows XP

In Safe mode:

Right-click on resba.333>properties>Advanced>Security/permissions and take ownership giving yourself 'Full control'. Right click the 'junkxxx' folder itself and hit properties, go to the security tab and click the advanced button. Check the box to reset permissions on all child objects.

Hit apply and OK. You should be able to remove it now.

Boot back into normal mode and go online. In IE click Tools>Internet Options and set your homepage.

Let me know how you get on.
Posted Image

#11 GroundControl

GroundControl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 02:21 PM

:D Daemon, THANK YOU SO MUCH.

You are very well skilled.

I have my homepage back and the pop ups are gone....for now, haha.

Would you recommend any steps to take in order for further prevention?

So I would consider this case RESOLVED unless you have any further comments.

Thank you SO MUCH Daemon.

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 02:52 PM

You're welcome - glad to help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button