• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
nimereht

spyware help...

32 posts in this topic

ok...i've been infected in the past, and i've been able to fix any and all problems...i have spybot, spysweeper, cwshredder, and ad-aware...but they cant get rid of the problem!

 

thanks for any help...i have read the FAQ...

 

my homepage is being reset to cool web search (even tho i have run cwshredder!)

 

i also seem to be getting popups for some casino...and a few porno icons on my desktop...altho, i may have gotten rid of that problem?

 

i have deleted the first 6 lines a few times, but they come back...

 

Logfile of HijackThis v1.97.3

Scan saved at 4:30:18 PM, on 7/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system.exe

C:\WINDOWS\system32\wintime.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Documents and Settings\Jim\Local Settings\Temp\Temporary Directory 37 for hijackthis.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {12C7B7E1-4B14-40AE-AD58-9900F34E5482} - C:\WINDOWS\1090339524.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [system32] C:\WINDOWS\system.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7613.6221990741

O17 - HKLM\System\CCS\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

ok more info...i definitely have something called WEBSITEVIEWER....this is what's putting the porno icons on my desk top...

 

the other pop up i get is from casino pallazo...

 

and my main inernet page is changed to http://213.159.117.134/index.php and

it says cool web search above...

 

i also see a green circle with a check mark in it that says TRUSTED SITES....i have never seen that before...

 

hope this info can allow someone to help me...

Share this post


Link to post
Share on other sites

Hi! :)

 

First, would you please send a copy of the C:\WINDOWS\questmod.dll file to submit_stuffATxs4all.nl for analysis? (replace 'AT' by @)

 

We know it doesn't belong on your computer, but we would still like to have a closer look at it. We'd also want to submit copies to developers in the security field if it turns out to be a brand new baddie.

 

Much appreciated :)

 

The file could possibly have the "Hidden" attribute. Here's how to show hidden and operating system files

 

Now you're running an antiquated version of Hijack This, and we need to see a log from the very latest one (1.98).

 

You can download it here:

 

http://www.wilderssecurity.com/showthread.php?t=12516

Edited by TonyKlein

Share this post


Link to post
Share on other sites

thank you for helping me! i'm not sure what you mean by send this to you...can you walk me thru that process?

 

Logfile of HijackThis v1.98.0

Scan saved at 3:18:19 PM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system.exe

C:\WINDOWS\system32\wintime.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jim\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jim\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jim\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jim\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jim\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jim\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {29950C96-D98A-40A2-A643-15298C327809} - c:\windows\system32\jpbg.dll

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [system32] C:\WINDOWS\system.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

O18 - Filter: text/html - {451DF066-3ACD-4A8C-92F8-D19CA1327045} - c:\windows\system32\jpbg.dll

O18 - Filter: text/plain - {451DF066-3ACD-4A8C-92F8-D19CA1327045} - c:\windows\system32\jpbg.dll

Share this post


Link to post
Share on other sites

Here's how to send a file as an attachment:

 

- Open Outlook Express, and press "Create Message".

 

- Say: Hi Tony, here's the file! (LOL!)

 

- Now press the "Attach" button (the paperclip). In the Attach File dialog box, simply browse to C:\WINDOWS\questmod.dll , click the file in order to highlight it, and press "Attach".

 

- Send the message.

 

Here's an article: Attaching a file to an email using Outlook Express

 

NOTE: The file could possibly have the "Hidden" attribute. Here's how to show hidden and operating system files

 

And you have a CoolWebSearch infection that takes quite a lot of effort to remove; we'll tend to that later

Share this post


Link to post
Share on other sites

OK, thank you for the file; it's dialer related malware, as I suspected. Now to your infection.

 

This takes a relatively large number of steps to remove, but if you take your time and follow directions carefully, you should be fine.

 

Click here to download FindnFix.exe (2K/XP only!) by Freeatlast.

 

Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program will take a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

OK...figured that out...i didnt have notepad...here is the results...

 

 

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q324929-Q810847-Q818529-Q813951-Q330994-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

Wed 21 Jul 04 20:25:31

8:25pm up 0 days, 14:40

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove

without attempting to confirm it's nature!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!

If in doubt, always search the file(s) and properties according to criteria!

 

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/21)»»»»»»»»»»»»»»»»

 

»»»*»»»*Use at your own risk!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\SQLABH.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLABH.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

SQLABH.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

sqlabh.dll Wed Jul 7 2004 11:21:20a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\SQLABH.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... SQLABH.DLL .....57344 07.07.2004

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\SQLABH.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

sqlabh.dll Wed Jul 7 2004 11:21:20a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\SQLABH.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group FRODO\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

8:28pm up 0 days, 14:43

Wed 21 Jul 04 20:28:19

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-21-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-21-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Wed Jul 21 2004 4:18:38p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: ?

00001190: vk UDeviceNo

000011D0:tSelectedTimeout 1 5 ( W vk ' z

00001210:GDIProcessHandleQuota" 9 0 ! vk X

00001250:Spooler2 y e s vk =pswapdisk

00001290: 8 h vk ( R TransmissionRetryTimeout

000012D0: vk ' t USERProcessHandleQuota\ 8

00001310:h vk > H TAppInit_DLLs s Q C :

00001350:\ W I N D O W S \ S y s t e m 3 2 \ s q l a b h . d l l

00001390:p

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

TAppInit_DLLs

sQ¸ÿÿÿC

--------------

--------------

$011C7: UDeviceNotSelectedTimeout

$0120F: zGDIProcessHandleQuota

$012B8: TransmissionRetryTimeout

$012E8: USERProcessHandleQuota

$01337: TAppInit_DLLs

--------------

--------------

C:\WINDOWS\System32\sqlabh.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 62 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "C:\WINDOWS\System32\sqlabh.dll"

0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.

0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 73 00 71 00 6c 00 61 00 | m.3.2.\.s.q.l.a.

0030 62 00 68 00 2e 00 64 00 6c 00 6c 00 00 00 | b.h...d.l.l...

Share this post


Link to post
Share on other sites

As for your Notepad issue; do this:

 

Find the Notepad.exe file in your C:\Windows folder, and copy (NOT move) it to the C:\Windows\System32 folder. Allow it to overwrite the one in there.

That should fix that.

 

Reason: The copy in System32 has been replaced/corrupted , probably by a CWS parasite variant, but the one in Windows is protected by Windows File Protection, and is therefore usually intact.

 

The log has allowed us to pinpoint without doubt the super hidden installer file that makes this hijack a littler harder to remove than your average parasite...

 

As the next step, first DISABLE your antivirus and keep it disabled untill we've finished removing this one; if you do not, it will interfere.

 

Now in the FindnFix 'keys1' folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the

SQLABH.DLL file (it should be visible now). RightClick on the "SQLABH.DLL" file, and select -> Cut from the menu.

 

Immediately Open the C:\FINDnFIX\junkxxx subfolder.

RightClick inside it and select 'Paste' from the menu; hit 'ok' when/if asked on 'read only' file move prompt.

 

- Make sure the file is now indeed in that Junkxxx subfolder

 

Open the FINDnFIX folder again and run the "Restore.bat" file.

It will run and generate a log (log2.txt) . Post it here.

 

 

Good luck, .

Edited by TonyKlein

Share this post


Link to post
Share on other sites

ok! here it is...

 

 

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Thu 22 Jul 04 06:38:46

6:38am up 0 days, 0:06

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q324929-Q810847-Q818529-Q813951-Q330994-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/21)***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or

the right file was selected...

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!

RightClick on the file/properties/security

and check the "Allow Inheritable permissions from parent..." box.

Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

 

* result\\?\C:\FINDnFIX\junkxxx\SQLABH.222

 

 

C:\FINDNFIX\JUNKXXX\

sqlabh.222 Wed Jul 7 2004 11:21:20a A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\SQLABH.222

 

**File C:\FINDNFIX\JUNKXXX\SQLABH.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- SQLABH .222 0000E000 11:21.20 07/07/2004

 

--a-- W32i - - - - 57,344 07-07-2004 sqlabh.222

A C:\FINDnFIX\junkxxx\sqlabh.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

SQLABH.222 57344 07-07-104 11:21 c185b36f9969d3a6d2122ba7cbc02249

File: <C:\FINDnFIX\junkxxx\sqlabh.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\sqlabh.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

FRODO\Jim:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x FRODO\Jim

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: FRODO\Jim

 

Primary Group: FRODO\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x FRODO\Jim

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: FRODO\Jim

 

Primary Group: FRODO\None

 

File "C:\FINDnFIX\junkxxx\sqlabh.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x FRODO\Jim

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: FRODO\Jim

 

Primary Group: FRODO\None

 

C:\FINDnFIX\junkxxx\sqlabh.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;FRODO\Jim:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlabh.222;BUILTIN\Users:RrRaRepX

 

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: ?

00001190: Qj vk UDeviceNo

000011D0:tSelectedTimeout 1 5 ( W vk ' z

00001210:GDIProcessHandleQuota" 9 0 ! vk X

00001250:Spooler2 y e s vk =pswapdisk

00001290: 8 h vk ( R TransmissionRetryTimeout

000012D0: vk ' t USERProcessHandleQuota\ 8

00001310:h vk x AppInit_DLLs G

00001350: w @ w G _^]3 [ K ; D$ $SVWPQ u |$( }9

00001390: \$ T$$RV f q m9 D$$ PV f _^3 [ SV

000013D0:W L$ G$ 4 t% \$ T$ F RPS 9 D$ t _^[ v

00001410:( u D$D j D$ T$ H 3 F D$D D$D \$D [sSUV W

00001450: 5 T$( D$$ L$ R T$ P D$ Q L$ RPQ p[s_^][ V q[s C0

00001490:[s; & V R $ SU3 V; W l$ l$ \$$ l$

000014D0:D$ +4 p [s ; 4 WU q[s l$ $

00001510:T$ [sWUVQRP ! L$$j QWU _ l$ ^][

00001550:

 

---------- NEWWIN.TXT

AppInit_DLLsÿÿÿÿ¸

--------------

--------------

$011C7: UDeviceNotSelectedTimeout

$0120F: zGDIProcessHandleQuota

$012B8: TransmissionRetryTimeout

$012E8: USERProcessHandleQuota

$01338: AppInit_DLLs

--------------

--------------

No strings found.

 

 

d.... 0 Jul 21 16:18 .

d.... 0 Jul 21 16:18 ..

....a 57344 Jul 7 11:21 sqlabh.222

 

3 files found occupying 55296 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

SQLABH.222 : crc16=3138 crc32=D5C9FB2E

 

-------- C:\FINDNFIX\JUNKXXX\SQLABH.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

57,344 bytes 5,734,400 cps

Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-21-:4 16:18|SQLABH 222 57344 A 07-07-:4 11:21

.. <dir> 07-21-:4 16:18|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

25466880 bytes available on Drive C: No volume label

 

...File dump...

 

DecAddr +4 +8 +12 © |ASCII Equiv or .| HexAddr

56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30

56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40

56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50

56928 00000000 00000000 00000000 a6f00100 |................| 0de60

56944 01000000 03000000 03000000 88f00100 |................| 0de70

56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80

56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90

56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0

57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0

57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0

57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0

57056 63655365 74757032 |ceSetup2 | 0dee0

 

Detecting...

 

C:\FINDnFIX\junkxxx

sqlabh.222 ACL has 8 ACE(s)

SID = /Everyone S-1-1-0

ACE 0 is an ACCESS_ALLOWED_ACE_TYPE

ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 1 is an ACCESS_ALLOWED_ACE_TYPE

ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 2 is an ACCESS_ALLOWED_ACE_TYPE

ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 3 is an ACCESS_ALLOWED_ACE_TYPE

ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 4 is an ACCESS_ALLOWED_ACE_TYPE

ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = NT AUTHORITY/SYSTEM S-1-5-18

ACE 5 is an ACCESS_ALLOWED_ACE_TYPE

ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = FRODO/Jim S-1-5-21-1708537768-1336601894-1801674531-1003

ACE 6 is an ACCESS_ALLOWED_ACE_TYPE

ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Users S-1-5-32-545

ACE 7 is an ACCESS_ALLOWED_ACE_TYPE

ACE 7 mask = 0x001200a9 -R -X

ACL done...

 

 

Finished Detecting...

Share this post


Link to post
Share on other sites

Excellent! You're doing great. :)

 

 

Now open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file in the same folder (junkxxx.zip) and open your email client with instructions.

 

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder.

 

Now click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done.

 

Rescan with HJT and post a new log in your next reply. There will be a couple more things we need to take care of.

Edited by TonyKlein

Share this post


Link to post
Share on other sites

ok, minor problem...i tried emailing the virus to the address specified, but i dont use outlook express for my emailing? i use aol...so i tried to send it as an attachement (like i did with that first file to you...) and aol wouldnt send it because it "detected a virus" in the email...

 

what can i do..?

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 7:25:18 AM, on 7/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system.exe

C:\WINDOWS\system32\wintime.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

C:\WINDOWS\dial32.exe

C:\Program Files\WebSiteViewer\123924.dlr

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [system32] C:\WINDOWS\system.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

Share this post


Link to post
Share on other sites

Well, as this appears to be a rather straight forward case, I think you can skip the submitting part...

 

Final steps:

 

Start your computer in Safe Mode (it may help if you print this out), and delete the following items:

 

Folders:

 

C:\Program Files\WebSiteViewer

C:\Program Files\TV Media

 

Files:

 

C:\WINDOWS\dial32.exe

C:\WINDOWS\system.exe

C:\WINDOWS\system32\wintime.exe

 

 

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

 

Next, still in Safe Mode, run Hijack This, and have it fix these items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

 

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll

 

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [system32] C:\WINDOWS\system.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

 

 

Now start your computer normally, and please post a fresh log.

Share this post


Link to post
Share on other sites

ok...here we go...

 

just so you know, i still have the porno icons on my desk top...is that just a matter of deleting them? i think i did it right?

 

oh yeah, do i have to go back in and recheck that hidden folders option???

 

 

Logfile of HijackThis v1.98.0

Scan saved at 11:14:19 AM, on 7/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

Edited by nimereht

Share this post


Link to post
Share on other sites

Your log is totally clean! Great job! :)

 

And yup, the items on your desktop would have to be shortcuts and ought to let themselves be deleted without any trouble.

Share this post


Link to post
Share on other sites

hey, thanks a million for taking the time to help me out...

 

one last question...

 

you wrote...

 

OTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

 

do i have to go back in there and change the setting again? or is it ok to leave it as it is???

Share this post


Link to post
Share on other sites

It's a matter of choice; I prefer seeing everything, but you may opt to keep certain operating system files hidden.

 

As long as you realize that there's a reason for them being hidden: they are usually files that shouldn't be touched!

Share this post


Link to post
Share on other sites

unreal....it looks like cool web search is back! i have tried to remove it the old fashioned way, but it didnt work...i have something in system32 called anctres.dll

 

i know it doesnt belong there and i cant delete it manually...

 

if i dont hear from you in a while, i will make a fresh post...

 

here is a fresh hijack this log...

 

Logfile of HijackThis v1.98.0

Scan saved at 1:50:24 PM, on 7/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\goidr.exe

C:\WINDOWS\System32\gybkiq.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\Soulseek\slsk.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\WINDOWS\system.exe

C:\WINDOWS\system.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe

O4 - HKLM\..\Run: [fxnlddnse] C:\WINDOWS\System32\gybkiq.exe

O4 - HKLM\..\Run: [system32] C:\WINDOWS\system.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

Share this post


Link to post
Share on other sites

Well you got re-infected by some entirely new malware as well; you really should stop doing that...

 

First download LSPfix here: http://www.cexx.org/lspfix.htm

 

Launch the application, and click the "I know what I'm doing" checkbox.

 

Check all instances of lspak.dll (and nothing else) , and move them to the "Remove" pane.

Then click Finish.

 

First disconnect your computer from the Internet.

Now do a Ctrl-Alt-Delete in order to bring up Task Manager and, on the Processes tab, end task on the following processes:

 

C:\WINDOWS\goidr.exe

C:\WINDOWS\System32\gybkiq.exe

 

Now find the following files, and delete them:

 

C:\WINDOWS\goidr.exe

C:\WINDOWS\System32\gybkiq.exe

 

NOTE: To avoid the risk of the files not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

 

Now Start your computer in Safe Mode (it may help if you print this out), and delete:

 

The C:\Program Files\TV Media folder

The C:\WINDOWS\system.exe

 

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

 

Next, still in Safe Mode, run Hijack This, and have it fix these items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

 

O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe

O4 - HKLM\..\Run: [fxnlddnse] C:\WINDOWS\System32\gybkiq.exe

O4 - HKLM\..\Run: [system32] C:\WINDOWS\system.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

 

 

Now start your computer normally, and please post a fresh log.

Edited by TonyKlein

Share this post


Link to post
Share on other sites

ok...looks like i missed something?

 

Logfile of HijackThis v1.98.0

Scan saved at 2:57:58 PM, on 7/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

Share this post


Link to post
Share on other sites

thanks again!

 

do you recommend i do something to prevent re-infection???

 

i've never had problems this bad, but now its been twice in less then 10 days?

Share this post


Link to post
Share on other sites

hey tony...i feel like i should be paying you!

 

its like i cant surf the internet any more...i've had this problem for a few days, but i cant get rid of the problem....i run ad aware and i get a file called AWCTRES.DLL, and i cant delete it....it says "file protected" or some such...

 

Logfile of HijackThis v1.98.0

Scan saved at 7:05:48 PM, on 8/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\cvss.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\goidr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\TEMP\ICD3.tmp\whistlesilent.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} - http://www.jraun.com/activex/src/KeyActivexTest.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

You got reinfected by a bunch of new adware... you seem to keep getting yourself in trouble....

 

I suggest you use the System Restore utility to revert to a moment in time just before you lost Internet access, then post a fresh log.

Share this post


Link to post
Share on other sites

no no, i can surf the internet...i just get a lot of pop ups...i was just saying that as a figure of speach..."i cant surf the internet anymore, cuz i keep getting infected!" i never had this problem till i got infected the first time and you helped me out...

 

do you know what i mean..?

 

that is the freshest most up to date log...

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 9:23:55 PM, on 8/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\goidr.exe

C:\WINDOWS\mwsvm.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\America Online 8.0\aol.exe

C:\Program Files\America Online 8.0\waol.exe

C:\Program Files\America Online 8.0\aolwbspd.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe

O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

O17 - HKLM\System\CS1\Services\Tcpip\..\{0127CE50-2902-44EE-A009-B25D35987F6D}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Well, as I said, you got yourself a whole new bunch of malware...

 

Start your computer in Safe Mode and delete:

 

The SLMSS and WINTOOLS folders in C:\Program Files\Common Files

 

These files:

 

C:\WINDOWS\goidr.exe

C:\WINDOWS\mwsvm.exe

C:\WINDOWS\aqadcup.exe

 

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

 

Next, still in Safe Mode, run Hijack This, and have it fix these items:

 

O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe

O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [mwsvm] C:\WINDOWS\mwsvm.exe

 

 

Now start your computer normally, and please post a fresh log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 5:29:51 PM, on 8/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\PROMon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\system32\dllcache\msngr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jim\Desktop\HijackThis1980hf.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C

Share this post


Link to post
Share on other sites

Do install an antivirus program and a firewall.

 

Glad we could help. :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0