Jump to content


Photo

Backdoor.Trojan C:\Windows\System32\D3DIMJF.DLL


  • This topic is locked This topic is locked
8 replies to this topic

#1 docdanhlh

docdanhlh

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 06:36 PM

As I have read in various posts this is a common problem. I have a Backdoor Trojan in C:\Windows\System32\D3DIMJF.DLL, norton 2003 finds but cannot remove. I have been trying for 10 days, on some boots Norton will find another trojan and remove it via the active auto protection, but never this one. Adware and Sypbot clear. I've seen the example Http://forums.spywareinfo.com/index.php?showtoic=17684&hl= and wonder if this will work for me.

Running Norton in normal or safe mode will not find any virus only the auto protect. Operating system is winXP pro.

Thanks in advance :lol:
Below in HijackThis log Logfile of HijackThis v1.97.7
Scan saved at 6:14:52 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Windows\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Windows\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\MsPMSPSv.exe
C:\Documents and Settings\Administrator\Desktop\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7777.8689930556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 06:46 PM

As I have read in various posts this is a common problem. 
I have a Backdoor Trojan in C:\Windows\System32\D3DIMJF.DLL,
norton 2003 finds but cannot remove. 

http://forums.spywar...topic=18064&hl= :p
Same issue ...

The file is indeed identified by Norton that *isolates*
it and at the same time locks access to it's removal!

Follow these steps in the exact order specified, or they
won't work properly!

1.)
Disable Norton's active protection
completely, and restart your computer!
*Unless you do so, it'll interfere!!
---------------------------------------------------------------
2.)
Download and install : "FINDnFIX.exe" from any of
the links in my signature.
You can skip the first log, and proceed:
----------------------------------------------------------------
3.)
*Get ready to restart your computer.
- Open the FINDnFIX\Keys1 <- Subfolder:
DoubleClick on the "FIX.bat" file.
-You will get a prompt preparing for auto-restart in 10 seconds.
-Let it restart!
-----------------------------------------------------------------
4.)
On restart, Go to Start/Search, and find:
"D3DIMJF.DLL" (in System32 folder; as it should be visible)
-When found, RightClick on the "D3DIMJF.DLL" file
And select -> Cut...
Immediately Goto and Open this Subfolder:
C:\FINDnFIX\junkxxx <-
RightClick inside it and select -> Paste
hit 'ok' when/if asked on 'read only' file move prompt.
*Be sure the file is now here: \junkxxx\D3DIMJF.DLL
--------------------------------------------------------------------------------
5.)
When done, Go back up one level to the main C:\FINDnFIX folder and
Run the -> "RESTORE.bat" file ,
It will run and generate a log (log2.txt)
Post it here, along with your hijackthis log!
=============================================
*Note:
Do not change/move around or
tamper with any of the file(s) folder(s) and path
included in the 'FINDnFIX' folder.
*You must be the prime account/Part of the 'Administrators' group to
perform the steps above!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 docdanhlh

docdanhlh

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 08:15 PM

I am able to get the step 5 to generate a log - but it hung up and said it could not find notepad - I tried Browse and opened in word for windows and got the message FindnFix\log2.txt is not a valid Wn32 application and cannot get further. If I regenerate restore it does the same? What should I do - thanks?

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 08:38 PM

I am able to get the step 5 to generate a log - but it hung up and said it could not find notepad - I tried Browse and opened in word for windows and got the message FindnFix\log2.txt is not a valid Wn32 application and cannot get further.  If I regenerate restore it does the same?  What should I do - thanks?

This is caused by corrupted/hijacked copies of notepads.
cws is well known to do that.

Check all your notepad.exe in:
-Windows
-System32 folder
-System32\dllcache folder
And overwrite the corrupted copy.

If no luck, you can download notepad_xp from my FINDnFIX page, unzip and copy it to both Windows and system32 folder.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 docdanhlh

docdanhlh

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 10:09 PM

You have saved me again! The only thing was I could not find a System 32 dllcache file should I create one? Here is the log file:
»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

Tue 27 Jul 04 21:56:24
9:56pm up 0 days, 2:06

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/27)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(5)»»»»»

»»»»»(6)»»»»»

»»»»»»» Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\FINDnFIX\junkxxx\D3DIMJF.222


C:\FINDNFIX\JUNKXXX\
d3dimjf.222 Thu Jul 1 2004 12:42:48p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\D3DIMJF.222

**File C:\FINDNFIX\JUNKXXX\D3DIMJF.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ŕ.

A----- D3DIMJF .222 0000E000 12:42.48 01/07/2004

--a-- W32i - - - - 57,344 07-01-2004 d3dimjf.222
A C:\FINDnFIX\junkxxx\d3dimjf.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
D3DIMJF.222 57344 07-01-104 12:42 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
D3DIMJF.222 : crc16=3138 crc32=D5C9FB2E


File: <C:\FINDnFIX\junkxxx\d3dimjf.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC16 : 3138
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC16 : EEB1
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC16 : 90A5
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
»»Permissions:
C:\FINDnFIX\junkxxx\d3dimjf.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DAN\Administrator:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DAN\Administrator
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: DAN\Administrator

Primary Group: DAN\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DAN\Administrator
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: DAN\Administrator

Primary Group: DAN\None

File "C:\FINDnFIX\junkxxx\d3dimjf.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DAN\Administrator
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: DAN\Administrator

Primary Group: DAN\None

C:\FINDnFIX\junkxxx\d3dimjf.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\d3dimjf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\d3dimjf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\d3dimjf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\d3dimjf.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\d3dimjf.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\d3dimjf.222;DAN\Administrator:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\d3dimjf.222;BUILTIN\Users:RrRaRepX[I]



»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' e USERProcessHandleQuotaZ 8
00001310:h vk x AppInit_DLLs
00001350: ` y ! @~
00001390: @
000013D0: A [
00001410: @~ Q Q ^ _ j 2 1~
00001450:@ I h f i j { C | D ^ O P Q R S T U V W X F G H
00001490: ` a b c d e f g h i j k l m n o p q r s t u v w x y m n O Q
000014D0:e o b p P
00001510: @ A B C D E F G H I J L N P R T
00001550:

---------- NEWWIN.TXT
AppInit_DLLs˙˙˙˙¸
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuotaZ
$01338: AppInit_DLLs
$018A8: English_United
--------------
--------------
LE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAN
ComSpec=C

d.... 0 Jul 27 19:49 .
d.... 0 Jul 27 19:49 ..
....a 57344 Jul 1 12:42 d3dimjf.222

3 files found occupying 55296 bytes

-------- C:\FINDNFIX\JUNKXXX\D3DIMJF.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 5,734,400 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-27-:4 19:49|D3DIMJF 222 57344 A 07-01-:4 12:42
.. <dir> 07-27-:4 19:49|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...

56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
d3dimjf.222 ACL has 8 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = DAN/Administrator S-1-5-21-566323599-592852699-477176622-500
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001200a9 -R -X
ACL done...


Finished Detecting...

Here is the initial Hijackthis log (prior to this procedure):Logfile of HijackThis v1.97.7
Scan saved at 6:14:52 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Windows\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Windows\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\MsPMSPSv.exe
C:\Documents and Settings\Administrator\Desktop\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7777.8689930556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thanks - and the last step is?

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 July 2004 - 09:43 AM

Nearly done! ;)
Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will take less than a second, quickly clean the rest and
will create a zipped copy of the bad file(s) in the same
folder (named as-- junkxxx.zip) and open your email
client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!
*Be sure your active AV email scan is disabled as well!

-When done, restart your computer and
Delete and entire 'FINDnFIX' file+Subfolder(s)
From C:\

Dllcache is hidden folder that contains your system backups!
Set all hidden/protected files as visible in folder options/view in order to find it.
You should normally have a copy of notepad there as well.
If not, copy the one you downloaded.

Re-enable your active AV,
For the remaining problems (if any), run any and all
removal tools once again as they should work properly now!
In particular,
Latest CWShredder.exe and fully updated Ad-Aware!

Reset IE options and home page to defaults, and you should be all set! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 docdanhlh

docdanhlh

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 07:21 PM

Thank you FREEATLAST, I'm aslo now freeatlast of the trojan. I'm planning to send a donation to support this sight - best I've been to for help.

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 July 2004 - 11:02 PM

:thumbsup:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 July 2004 - 03:32 PM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button