Jump to content


Photo

SearchX Got Me, Help Me, I did some steps


  • Please log in to reply
4 replies to this topic

#1 rlemdl

rlemdl

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 12:19 AM

Hi, I'm not that much of a newbie, I've already started the steps on getting rid of this nuisance, in fact I have this pest cornered all I have to do is finish him off. Ok here's what I've done, I ran "Find-All" prog and my output was this:

"--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Thu Jun 10 00:03:12 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
'Find-All' is running from Drive:
C: "" (C8B5:BE6E) - FS:NTFS clusters:512
Total: 24 182 290 432 [23G] - Free: 1 856 136 192 [1.7G]


»»IE version and Service packs:
5.0.2920.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 5.0.2920.0 shp 60,688 12-07-1999 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP4;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 06-19-2003 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 946,960 03-17-2003 msjava.dll

»»NotePad(s) version(s):
5.0.2140.1 C:\WINNT\notepad.exe
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
5.0.2140.1 C:\WINNT\System32\notepad.exe
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe

»» Regedit* version(s):
5.0.2195.6707 C:\WINNT\regedit.exe
--a-- W32i APP ENU 5.0.2195.6707 shp 73,488 06-19-2003 regedit.exe
5.0.2195.6605 C:\WINNT\System32\regedt32.exe
--a-- W32i APP ENU 5.0.2195.6605 shp 139,536 06-19-2003 regedt32.exe


»»PC uptime:
0:03am up 0 days, 6:08

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\WDMGI.DLL +++ File read error
\\?\C:\WINNT\System32\WDMGI.DLL +++ File read error

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Tasks (services):
0 System Process
8 System
144 SMSS.EXE
172 CSRSS.EXE Title:
192 WINLOGON.EXE Title: NetDDE Agent
228 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,P
ugPlay,ProtectedStorage,seclogon,TrkWks,Wmi
240 LSASS.EXE Svcs: PolicyAgent,SamSs
364 ati2evxx.exe Svcs: Ati HotKey Poller
468 svchost.exe Svcs: RpcSs
496 LEXBCES.EXE Svcs: LexBceS
532 spoolsv.exe Svcs: Spooler
568 LEXPPS.EXE Title:
672 avgserv.exe Svcs: AvgServ
692 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
748 regsvc.exe Svcs: RemoteRegistry
804 mstask.exe Svcs: Schedule
796 vsmon.exe Svcs: vsmon
900 WinMgmt.exe Svcs: WinMgmt
916 svchost.exe Svcs: wuauserv
1168 ati2evxx.exe Title: ATI video bios poller client
1212 explorer.exe Title: Program Manager
988 atiptaxx.exe Title: ATI Tray Icon Application
1328 rundll32.exe Title: Gamesurround Fortissimo II
1248 evntsvc.exe Title: Notification Wnd for RNAdmin
1264 avgcc32.exe Title:
1096 zlclient.exe Title: PermissionDlg
1356 PwpUpdtr.exe
1400 ATIX10.exe Title: ATIX10
1428 AtiSched.exe Title: ATI Scheduler
1456 PSFree.exe Title:
1472 SpySweeper.exe Title: Spysweeper
1544 rundll32.exe Title: XIF
1564 BSTrayicon.exe Title:
1584 JoyAct.exe Title: JoyAct
1016 WarpSpdr.exe Title: WarpSpeeder
284 systemie.exe Title: SYSTEMIE
1808 aim.exe Title: Adam N Rolemodel's Buddy List Window
1760 systemie.exe
1960 IEXPLORE.EXE Title: SWI Forums -> Hijacked by SearchX - Microsoft Internet Explorer
1908 CMD.EXE Title: Select C:\WINNT\system32\cmd.exe
1840 NTVDM.EXE
1404 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0716F044-D355-4FD5-A1C1-4323AAF24FE1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{6DA76B3C-E0CB-4062-8F89-136CBD30E4D5}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{6DA76B3C-E0CB-4062-8F89-136CBD30E4D5}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"systemie"="{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 4024

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINNT\system32\userinit.exe,

5.0.2195.6612 C:\WINNT\System32\userinit.exe
--a-- W32i APP ENU 5.0.2195.6612 shp 17,680 06-19-2003 userinit.exe

»»Group/user settings:


User: [SEWANHAK-A7W1YP\Administrator], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SEWANHAK-A7W1YP\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»ACLs list:
C:\junkxxx Everyone:(OI)(CI)F

ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINNT\System32\Drivers\etc\hosts
-r--- - - - - - 20 02-01-2004 hosts
------
»»Rehash:

»Strings found:

Thu Jun 10 00:03:34 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-10-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-10-2004 findallappinit.reg
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\Fileslist\copyhosts.txt
A C:\Find-All\Find-All\Fileslist\drivers.txt
A C:\Find-All\Find-All\Fileslist\modules.txt
A C:\Find-All\Find-All\Fileslist\services.txt
A C:\Find-All\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

"


the pesty DLL I believe is WDMGI.DLL
I put it in the Junk folder and It's in there, I used KillBox but it couldn't finish this pest off so I ran HiJackThis and it gave me a log of this:


ogfile of HijackThis v1.97.7
Scan saved at 1:15:01 AM, on 6/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\TMobile\PwpUpdtr.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WarpSpeeder\WarpSpeeder\Bstrayicon.exe
C:\Program Files\InterAct\Gaming Devices\JoyAct.exe
C:\Program Files\WarpSpeeder\WarpSpeeder\WarpSpdr.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\2fast2furious\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\blikg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\blikg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\blikg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\blikg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\blikg.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\blikg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C2558B99-2B80-4A7D-9B06-CE2032D61341} - C:\WINNT\system32\blikg.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp2\Winampa.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [disbht] C:\WINNT\system32\dguajkfa.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [TeamOnPwpUpdater-TMPwpCli] "C:\Program Files\TMobile\PwpUpdtr.exe" TMPwpCli
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: InterAct Profile Activator.lnk = C:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MediaKey.lnk = C:\Program Files\MediaKey\Versato.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WarpSpeeder Tray.lnk = C:\Program Files\WarpSpeeder\WarpSpeeder\Bstrayicon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {50D05FAC-D462-4795-8818-738FCF776FBC} (TMobile PwpClient DwnLdr Class) - https://myemail.t-mo...e-PwpClient.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553552000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://myemail.t-mo...ools/msxml3.cab

I've made the file that I think I should delete bold, but I am here to ask you how to delete the stupid DLL File and what other files in the HiJackThis Text I should delete aside from the AboutBlank thing. I wanna make sure I knock this Piece of Sh!t for good.

thanks

Edited by rlemdl, 10 June 2004 - 12:21 AM.


#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 10 June 2004 - 12:58 AM

Hello there! :D

Since you started on your own, we need to figure out where we stand!

That file should be nowhere else but in this location:

C:\junkxxx\WDMGI.DLL

Since I don't see it there, and have no idea what you did, let's start over!

Here are the required steps, skip the ones already performed:

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ WDMGI.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NEXT-- You have a virus identified on your Find-All log:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"systemie"="{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}" :alarm:


Open the Find-All\Tools subfolder
Run the 'RegSrch.vbs' file.
Copy and paste this:
{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}
As the string to search. It will run for a
while and generate report!
Post it here, along with fresh 'Find-All.Cmd' log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 rlemdl

rlemdl

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 01:39 AM

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "2A381B65-7819-4979-B9CD-5E67EEE7B4C8" 6/10/2004 2:26:56 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"systemie"="{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}"



MY new Find-All info is as follows:


--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Thu Jun 10 02:43:39 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
'Find-All' is running from Drive:
C: "" (C8B5:BE6E) - FS:NTFS clusters:512
Total: 24 182 290 432 [23G] - Free: 1 835 812 352 [1.7G]


»»IE version and Service packs:
5.0.2920.0 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 5.0.2920.0 shp 60,688 12-07-1999 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP4;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 06-19-2003 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 946,960 03-17-2003 msjava.dll

»»NotePad(s) version(s):
5.0.2140.1 C:\WINNT\notepad.exe
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe
5.0.2140.1 C:\WINNT\System32\notepad.exe
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 12-07-1999 notepad.exe

»» Regedit* version(s):
5.0.2195.6707 C:\WINNT\regedit.exe
--a-- W32i APP ENU 5.0.2195.6707 shp 73,488 06-19-2003 regedit.exe
5.0.2195.6605 C:\WINNT\System32\regedt32.exe
--a-- W32i APP ENU 5.0.2195.6605 shp 139,536 06-19-2003 regedt32.exe


»»PC uptime:
2:43am up 0 days, 0:22

»»Locked or 'Suspect' file(s) found...
\\?\C:\junkxxx\WDMGI.DLL +++ File read error

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Tasks (services):
0 System Process
8 System
144 SMSS.EXE
172 CSRSS.EXE Title:
192 WINLOGON.EXE Title: NetDDE Agent
220 SERVICES.EXE Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,P
ugPlay,ProtectedStorage,seclogon,TrkWks,Wmi
232 LSASS.EXE Svcs: PolicyAgent,SamSs
344 ati2evxx.exe Svcs: Ati HotKey Poller
440 svchost.exe Svcs: RpcSs
468 LEXBCES.EXE Svcs: LexBceS
496 spoolsv.exe Svcs: Spooler
532 LEXPPS.EXE Title:
620 avgserv.exe Svcs: AvgServ
640 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
692 regsvc.exe Svcs: RemoteRegistry
716 mstask.exe Svcs: Schedule
804 vsmon.exe Svcs: vsmon
824 WinMgmt.exe Svcs: WinMgmt
840 svchost.exe Svcs: wuauserv
1028 ati2evxx.exe Title: ATI video bios poller client
1044 explorer.exe Title: Program Manager
940 atiptaxx.exe Title: ATI Tray Icon Application
744 rundll32.exe Title: Gamesurround Fortissimo II
1056 systemie.exe Title: SYSTEMIE
1060 evntsvc.exe Title: Notification Wnd for RNAdmin
1236 avgcc32.exe Title:
1260 zlclient.exe Title: ViolationDlg
1280 PwpUpdtr.exe
1292 ATIX10.exe Title: ATIX10
1300 AtiSched.exe Title: ATI Scheduler
1332 PSFree.exe Title:
1356 SpySweeper.exe Title:
1408 rundll32.exe Title: XIF
1244 BSTrayicon.exe Title:
1468 WarpSpdr.exe Title: WarpSpeeder
508 IEXPLORE.EXE Title: SWI Forums -> Replying in SearchX Got Me, Help Me, I did some steps - Microsoft Internet Explorer
1020 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1480 NTVDM.EXE
1184 IEXPLORE.EXE Title: Micro Center Online Compare Search Results - Microsoft Internet Explorer
1568 IEXPLORE.EXE Title:
1572 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2558B99-2B80-4A7D-9B06-CE2032D61341}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{FE5A5766-DD75-46D3-B8F2-7BB865A7AE7A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{FE5A5766-DD75-46D3-B8F2-7BB865A7AE7A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"systemie"="{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 4024

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINNT\system32\userinit.exe,

5.0.2195.6612 C:\WINNT\System32\userinit.exe
--a-- W32i APP ENU 5.0.2195.6612 shp 17,680 06-19-2003 userinit.exe

»»Group/user settings:


User: [SEWANHAK-A7W1YP\Administrator], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SEWANHAK-A7W1YP\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»ACLs list:
C:\Junkxxx Everyone:(OI)(CI)F

C:\junkxxx\WDMGI.DLL Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE



»»File(s) in 'junkxxx' folder:
-ra-- - - - - - 57,344 06-04-2004 wdmgi.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

md5sums: Unable to open WDMGI.DLL

0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINNT\System32\Drivers\etc\hosts
-r--- - - - - - 25 06-10-2004 hosts
------
»»Rehash:
File: <C:\junkxxx\WDMGI.DLL>




»Strings found:

Thu Jun 10 02:43:47 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-10-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-10-2004 findallappinit.reg
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\Fileslist\copyhosts.txt
A C:\Find-All\Find-All\Fileslist\drivers.txt
A C:\Find-All\Find-All\Fileslist\modules.txt
A C:\Find-All\Find-All\Fileslist\services.txt
A C:\Find-All\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows




Thanks

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 10 June 2004 - 01:52 AM

Ok...

We can wrap up the hijacker following these steps:

Lastly,

Open the 'Find-All'\Tools Subfolder.
DoubleClick once on:-->> "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker downloaded!
Run these tools, have them fix all problems:
*Ad-Aware 6 Build 181:
http://www.lavasoftu...ftware/adaware/

*Latest reference file :
http://www.lavasofts...showtopic=28310

*How To: Perform a "Full Scan" With Ad-aware 6 Build 181
http://www.lavahelp....scan/index.html

*Run and -> fix:
http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As for your virus:
Copy and paste the contents of this quote box into new text file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A381B65-7819-4979-B9CD-5E67EEE7B4C8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"systemie"=-

Save the file as... (*change to all files in types) fix.reg
DoubleClick on the fix.reg file, answer 'yes' to the prompt!

Restart computer, find and delete:
systemie.exe
systemie.dat
sysie.dll
systemie.dll

Details:
http://www.pestpatro.../s/systemie.asp


In hijackthis fix checked if left:
*O4 - HKLM\..\Run: [disbht] C:\WINNT\system32\dguajkfa.exe
*O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

Reboot and delete:
C:\WINNT\system32\dguajkfa.exe<
Program Files\CasinoOnline< folder

Edited by freeatlast, 10 June 2004 - 01:58 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 rlemdl

rlemdl

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 04:09 AM

thanks a lot for the help freeatlast, I really appreciate it. It's gone so far. I owe you big time. If you need anything email me @ nyry30@yahoo.com I'll see if I could be of some help. once again Thanks Alot!

sincerely,

alan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button