Jump to content


Photo

Another Aboutblank...plz help!


  • This topic is locked This topic is locked
9 replies to this topic

#1 jslezak

jslezak

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 July 2004 - 11:02 PM

:bounce: I know you guys are bored of these by now but i have waited patiently and tried to use all other posts to fix this, so far ive been unsuccesful and this hijacker comes back everytime. So far ive used: Adaware, Spybot,Spysweeper,Aboutbuster,CWSHREDDER,hijackthis and a manual registry hack method that only wasted time. PLeaseeee help thank you!!!!


Logfile of HijackThis v1.97.7
Scan saved at 9:01:06 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Default User.BXH-000001\Desktop\RefreshLock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Default User.BXH-000001\My Documents\Computer fixes\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DEFAUL~1.BXH\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DEFAUL~1.BXH\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DEFAUL~1.BXH\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DEFAUL~1.BXH\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DEFAUL~1.BXH\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DEFAUL~1.BXH\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A38BA787-3D3A-4DCE-9A9E-0DD5BE0D8629} - C:\WINDOWS\System32\honlia.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7524.0778703704
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28578.cab


all CWSHredder says is i have Searchx variant and tahts the only one ive ever seen on any of my scans. Hope you can help Thanks!

#2 Daemon

Daemon

    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 04:46 PM

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 jslezak

jslezak

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 July 2004 - 05:45 PM

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\KBDB.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBDB.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
KBDB.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

No matches found.

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... KBDB.DLL .....57344 29.06.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\KBDB.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
kbdb.dll Tue Jun 29 2004 1:04:18a ..... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDB.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group JAY\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
3:43pm up 0 days, 16:15
Fri 23 Jul 04 15:43:52

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-23-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-23-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Fri Jul 23 2004 3:41:56p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: ?
00001190: vk : f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ k b d b . d
00001210:l l vk P UDeviceNotSelectedTimeout
00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' USERProcessHandleQuota x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG└   C
--------------
--------------
$011C8: AppInit_DLLs
$01237: UDeviceNotSelectedTimeout
$01287: zGDIProcessHandleQuota
$01320: TransmissionRetryTimeout
$01370: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\kbdb.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\kbdb.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 6b 00 62 00 64 00 62 00 | m.3.2.\.k.b.d.b.
0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...

#4 jslezak

jslezak

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 July 2004 - 07:40 PM

sorry for bumb but i kind of need this one looked at. ITs my work comp so if daemon or anyone else can analyze my FindNFix log and help me out !!!! :D thanks!

#5 jslezak

jslezak

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 July 2004 - 10:50 PM

Bump: Sorrrrrrrrryyyyy but i need help!!! PLEASE!!! :D

#6 Daemon

Daemon

    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 24 July 2004 - 03:26 AM

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the KBDB.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.
Posted Image

#7 jslezak

jslezak

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 July 2004 - 06:57 PM

OKay daemon sumthing wierd happend! i ran the FIX.bat and restarted the computer. The KBDB.dll file appeared just like you said, but right as i was about to move it to the JunkXXX folder the new nortan antivirus caught it and deleted it. I ran the restore.BAT anyway just to get the log here it is below. I havnt gotten any hijackings since but will this fix my computer?!?!?!




This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


File not found - C:\FINDnFIX\junkxxx\*.*

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________

╗╗Permissions:
ERROR: There are no more files.

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JAY\Default User
Allow 0000001B -co- 001F01FF ---- DSPO rw+x \CREATOR OWNER
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000012 tc-- 00100002 ---- ---- -w-- BUILTIN\Users
Allow 00000012 tc-- 00100004 ---- ---- --+- BUILTIN\Users
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: JAY\Default User

Primary Group: JAY\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JAY\Default User
Allow 0000001B -co- 001F01FF ---- DSPO rw+x \CREATOR OWNER
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000012 tc-- 00100002 ---- ---- -w-- BUILTIN\Users
Allow 00000012 tc-- 00100004 ---- ---- --+- BUILTIN\Users
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: JAY\Default User

Primary Group: JAY\None




╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' USERProcessHandleQuota 8
00001310:h vk x AppInit_DLLs
00001350:
00001390:   @
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLs    Ş
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuota
$01338: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Jul 23 15:41 .
d.... 0 Jul 23 15:41 ..

2 files found occupying -1024 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
No files found


===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.07

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-23-:4 15:41|.. <dir> 07-23-:4 15:41
---------------------------------------+---------------------------------------
2 files totaling 0 bytes consuming 0 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...


Detecting...

C:\FINDnFIX\junkxxx
Finished Detecting...

#8 Daemon

Daemon

    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 25 July 2004 - 03:58 AM

That is happening more often - FnF reveals it and antivirus programs nail it. Delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#9 jslezak

jslezak

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 July 2004 - 09:54 PM

still another day with no hijack!!! heres my new log

Logfile of HijackThis v1.97.7
Scan saved at 7:52:11 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Default User.BXH-000001\Desktop\RefreshLock.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Default User.BXH-000001\My Documents\Computer fixes\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7524.0778703704
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28578.cab


Pretty sure its fixed!!! i won!! mauahhahahahah

CWS :bangbang: :bangbang:

#10 Daemon

Daemon

    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 26 July 2004 - 02:07 AM

That's a clean log - well done :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!