Jump to content


Photo

Backdoor.Trojan(wdmf.dll)


  • Please log in to reply
10 replies to this topic

#1 Scribbz

Scribbz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 03:24 PM

From looking at the board I see this problem is becoming frequent. Everytime I restart my computer, Norton's Auto Protection pops up saying I have a "Backdoor.Trojan" on my computer. I've tried looking for the file(wdmf.dll) in the folder where Norton says it is but I can't find it. Please help!
Here is my HijackThis Log File it helps any:

Logfile of HijackThis v1.97.7
Scan saved at 4:22:09 PM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Brian\My Documents\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1089472445686
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8128.7021180556
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

Any help would be greatly appreciated. Thanks again!

#2 discogail

discogail

    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 25 July 2004 - 05:47 PM

Disable then reenable system restore and see what happens.
http://service1.syma...src=sec_doc_nam

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 July 2004 - 06:05 PM

From looking at the board I see this problem is becoming frequent.

Everytime I restart my computer,
Norton's Auto Protection pops up saying I have
a "Backdoor.Trojan" on my computer.
I've tried looking for the file(wdmf.dll) in the folder
where Norton says it is but I can't find it. !

Known issue!
See this, as example:
http://forums.spywar...topic=17684&hl=

And I recognize that file name... ;)

The file is indeed identified by Norton that *isolates*
it and at the same time locks access to it's removal!

Follow these steps in the exact order specified, or they
won't work properly!

1.)
Disable Norton's active protection
completely, and restart your computer!
---------------------------------------------------------------
2.)
Download and install : "FINDnFIX.exe" from any of
the links in my signature.
You can skip the first log, and proceed:
----------------------------------------------------------------
3.)
*Get ready to restart your computer.
- Open the FINDnFIX\Keys1 <- Subfolder:
DoubleClick on the "FIX.bat" file.
-You will get a prompt preparing for auto-restart in 10 seconds.
-Let it restart!
-----------------------------------------------------------------
4.)
On restart, Go to Start/Search, and find:
"wdmf.dll" (in System32 folder; as it should be visible)
-When found, RightClick on the "wdmf.dll" file
And select -> Cut...
Immediately Goto and Open this Subfolder:
C:\FINDnFIX\junkxxx <-
RightClick inside it and select -> Paste
hit 'ok' when/if asked on 'read only' file move prompt.
*Be sure the file is now here: \junkxxx\wdmf.dll
--------------------------------------------------------------------------------
5.)
When done, Go back up one level to the main C:\FINDnFIX folder and
Run the -> "RESTORE.bat" file ,
It will run and generate a log (log2.txt)
Post it here.
=============================================
*Note:
Do not change/move around or
tamper with any of the file(s) folder(s) and path
included in the 'FINDnFIX' folder.
*You must be the prime account/Part of the 'Administrators' group to
perform the steps above!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 Guest_SirJon_*

Guest_SirJon_*
  • Guests

Posted 25 July 2004 - 06:11 PM

Thank you for your wonderful tool freeatlast.

#5 Scribbz

Scribbz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 07:50 PM

Wow! Thanks for all the help!! :D
I hope I did everything right with the FINDnFIX.
Here is the log:


»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

Sun 25 Jul 04 20:44:01
8:44pm up 0 days, 0:06

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/25)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(5)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»»»(*6*)»»»»»

»»»»»»» Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»*»»» Scanning for moved file... »»»*»»»

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

* result\\?\C:\FINDnFIX\junkxxx\WDMF.222


C:\FINDNFIX\JUNKXXX\
wdmf.222 Mon Jun 21 2004 12:21:42p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\WDMF.222

**File C:\FINDNFIX\JUNKXXX\WDMF.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ŕ.

A----- WDMF .222 0000E000 12:21.42 21/06/2004

--a-- W32i - - - - 57,344 06-21-2004 wdmf.222
A C:\FINDnFIX\junkxxx\wdmf.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
WDMF.222 57344 06-21-104 12:21 c185b36f9969d3a6d2122ba7cbc02249
File: <C:\FINDnFIX\junkxxx\wdmf.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\FINDnFIX\junkxxx\wdmf.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BRIAN-ATKPLKM0Y\Brian:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BRIAN-ATKPLKM0Y\Brian
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BRIAN-ATKPLKM0Y\Brian

Primary Group: BRIAN-ATKPLKM0Y\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BRIAN-ATKPLKM0Y\Brian
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BRIAN-ATKPLKM0Y\Brian

Primary Group: BRIAN-ATKPLKM0Y\None

File "C:\FINDnFIX\junkxxx\wdmf.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BRIAN-ATKPLKM0Y\Brian
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: BRIAN-ATKPLKM0Y\Brian

Primary Group: BRIAN-ATKPLKM0Y\None

C:\FINDnFIX\junkxxx\wdmf.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmf.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmf.222;BRIAN-ATKPLKM0Y\Brian:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmf.222;BUILTIN\Users:RrRaRepX[I]



»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' USERProcessHandleQuota 8
00001310:h vk e AppInit_DLLsoutQ
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLsoutQ¸
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuota
$01338: AppInit_DLLsoutQ
--------------
--------------
Selection

d.... 0 Jul 25 20:36 .
d.... 0 Jul 25 20:36 ..
....a 57344 Jun 21 12:21 wdmf.222

3 files found occupying 55296 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
WDMF.222 : crc16=3138 crc32=D5C9FB2E

-------- C:\FINDNFIX\JUNKXXX\WDMF.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 5,734,400 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-25-:4 20:36|WDMF 222 57344 A 06-21-:4 12:21
.. <dir> 07-25-:4 20:36|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
3308032 bytes available on Drive C: No volume label

...File dump...

DecAddr +4 +8 +12 © |ASCII Equiv or .| HexAddr
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
wdmf.222 ACL has 8 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BRIAN-ATKPLKM0Y/Brian S-1-5-21-1614895754-839522115-1957994488-1003
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001200a9 -R -X
ACL done...


Finished Detecting... 

I hope I'm in the clear. lol I really appreciate all your help!! Thanks again!

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 July 2004 - 08:39 PM

Well done!

Nearly over! ;)

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will take less than a second, quickly clean the rest and
will create a zipped copy of the bad file(s) in the same
folder (named as-- junkxxx.zip) and open your email
client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!
*Be sure your active AV email scan is disabled as well!

Find this logfile created in the same Subfolder-- (C:\FINDnFIX\Files2):
-> "FINAL.TXT"
And post it's contents, along with new hijackthis log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 zeeq

zeeq

    Member

  • New Member
  • Pip
  • 1 posts

Posted 25 July 2004 - 10:24 PM

had exactly the same problem... and this worked for me:

from site:
http://www.computing...rum/110685.html

here's the article that describes the steps:

Name: VerilySo
Date: July 23, 2004 at 09:20:35 Pacific
Subject: Backdoor.Trojan and NAV

Reply:
Telemachus,
Try these instructions. They worked for me.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
You have to remove this key. This key tells Windows to load the Trojan DLL every time ANY application is run. You need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC.
If you just delete it from RegEdit, it will re-add itself. (Try it. Delete the AppInit_DLLs key and hit F5. Notice it immediatly reappears).
Do the following:
1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2 (select Windows folder and RT click, rename).
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.
Now that AppInit_DLLs is gone, run the latest AdAware 6 and Housecall to remove any Trojan remnants for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.
On this computer, there was an infected .dll file in the Windows\System32 directory called comojgl.dll which was detected by Norton, but could not delete. Norton reported the infection as BackDoor.Agent.A. The file, comojgl.dll, was the Trojan. Until I deleted the file using the rename Windows folder trick, Norton continued to report it with the annoying NAV Alert. After reboot, the NAV reported it had deleted it. I was just happy it was gone.
Goodluck

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 July 2004 - 10:29 PM

1. Rename the HLM\Software\Microsoft\Windows NT\
CurrentVersion\Windows folder to Windows2
(select Windows folder and RT click, rename).


Dude!
In case you missed the log
results the reg key and the file were all cleaned up!

See the results of your own actions here... :scratchhead:
http://forums.spywar...t=0
Good luck!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 Scribbz

Scribbz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 10:36 PM

Okay I'm having trouble with mailing it b/c Outlook Express isn't connecting(Its the first time I'm using it and AOL doesn't allow that kind of mail lol) Do you just need that to research it or is it vital to cleaning my system? Either way I'll definitely try and figure out how to use it.Sorry about that!
:unsure: I can't thank you enough for all you've done.
Anyway here are the 2 logs:


Microsoft Windows XP [Version 5.1.2600]
Sun 25 Jul 04 23:26:18

........*FINAL.LOG*.............
..Uninstalling bho (if exist)...
.. Deleting sp.html files (if present) ...
Could Not Find C:\DOCUME~1\Brian\LOCALS~1\Temp\sp.html
Could Not Find C:\WINDOWS\temp\sp.html
File not found - C:\DOCUME~1\Brian\LOCALS~1\Temp\sp.html
File not found - C:\WINDOWS\Temp\sp.html

...Checking file version...
--a-- W32i - - - - 57,344 06-21-2004 wdmf.333
A C:\FINDnFIX\junkxxx\wdmf.333

...Resetting permissions on junkxxx folder and file
...Resetting attribs; renaming
A \\?\C:\FINDnFIX\junkxxx\wdmf.333
processed file: C:\FINDnFIX\junkxxx\wdmf.333
processed directory: C:\FINDnFIX\junkxxx
processed file: C:\FINDnFIX\junkxxx\wdmf.333
Cleaniing registry keys...
...checking permissions and attrib reset
processed file: C:\FINDnFIX\junkxxx\wdmf.333
processed directory: C:\FINDnFIX\junkxxx
processed file: C:\FINDnFIX\junkxxx\wdmf.333

Access F GRANTED TO TRUSTEE administrators on C:\FINDnFIX\junkxxx
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmf.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmf.333;BRIAN-ATKPLKM0Y\Brian:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmf.333;BUILTIN\Users:RrRaRepX[I]
C:\FINDnFIX\junkxxx\wdmf.333 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BRIAN-ATKPLKM0Y\Brian:F
BUILTIN\Users:R

...zipping files...
...Deleting temp files...
Could Not Find C:\FINDnFIX\Files2\*.tmp
...Submitting file...

...Dumping key and security...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER


A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : ""
0000 00 00 | ..


HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 11:32:38 PM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllcache\notepad.exe
C:\Documents and Settings\Brian\My Documents\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1089472445686
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8128.7021180556
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

Thanks again!

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 July 2004 - 10:48 PM

All's well!

Don't woory about the mail, it's a generic
request and I have the same file, identified :D

File: <C:\FINDnFIX\junkxxx\wdmf.222>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249



Delete the entire FINDnFIX folder(s) from C:\
Stay out of trouble! ;)

P.S
It would be very wise to upgrade your...
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

To it's latest version: 6/SP1!, including all security updates!
Using another browser makes no difference as IE is integral to the system,
And that's one of the best ways to avoid and prevent reinfection!

Edited by freeatlast, 25 July 2004 - 10:58 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 Scribbz

Scribbz

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 10:56 PM

Oh Okay THANK YOU freeatlast! You're awesome!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button