Jump to content


Photo

about:blank


  • Please log in to reply
10 replies to this topic

#1 wineguy

wineguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 13 June 2004 - 09:20 PM

Please help. I have been struggling with the about:blank hijack for about a month now. I found some good infomration at www.dslreports.com/forums that has improved my understanding of the bug but I just can't figure out the final steps to getting rid of the demon.

I have, in the past, dowloaded adaware, spybot, spysweeper (the webpage protect option helps to keep my homepage stable but I know the trojan is still there because of slower operating performance and the fact that adaware picks up countless bugs a day), cwshredder, etc. but just can't seem to kill the thing.

I understand that the trojan has planted a hidden file in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs that causes a new, variable .dll to appear in C:\\windows\system32 upon reboot.

I have tried using killbox to delete the hidden file (in my case called wdmf.dll) upon reboot but that doesn't seem to work. I can delete the appinit_dll value in registry editor but it just comes back. I have tried to delete the value in reglite but it will not delete. Any help would be greatly appreciated.


Here is my hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 7:04:54 PM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\The Cleaner\tca.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thanks again,

Nate

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 13 June 2004 - 11:32 PM

Download and install: >>Beta-Fix.exe (2K/XP only!)<<
From the 'Find-All page' link in my signature.

Run the "LOG.BAT" file, post the results!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 wineguy

wineguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 11:54 PM

Here you go:

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...

9:49pm up 0 days, 0:32

C:\WINDOWS\System32\WDMF.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMF.DLL +++ File read error
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The type of the file system is NTFS.
C: is not dirty.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group NOTEBOOK\None.
User is a member of group \Everyone.
User is a member of group NOTEBOOK\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗Dir 'junkxxx' was created with the following permissions...
(NA=FAT32)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\N8 and E
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: NOTEBOOK\N8 and E

Primary Group: NOTEBOOK\None


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
9:52pm up 0 days, 0:35

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-14-2004 winbackup.hiv
A C:\Beta-Fix\keys\winkey.reg
--a-- - - - - - 632 06-14-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLsanti└   C
Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
AppInit
DLLsanti

**File C:\Beta-Fix\WIN.TXT


Thanks for your help!

#4 wineguy

wineguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 June 2004 - 08:46 PM

bump

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 15 June 2004 - 09:04 PM

Sorry, been busy.
I've made some changes since
Delete the C:\Beta-Fix folder and file and download again.
Install the same way and post the log.

I'll check back tomorrow! :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 wineguy

wineguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 12:48 AM

It's ok. I really appreciate your help. Here's the log from the new version of beta-fix:


Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

10:42pm up 0 days, 1:49
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\WDMF.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMF.DLL +++ File read error
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗Special 'locked' files scan in 'System32'........
**File C:\Beta-Fix\LIST.TXT
WDMF.DLL Can't Open!

***This list may contain legitimate files!***
╗╗╗LIST OF ALL FILES IN SYSTEM32 WITH 'R;H;S' Attributes:╗╗╗
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\WINDOWS\SYSTEM32\
ctl3dv2.dll Thu Aug 29 2002 5:00:00a A...R 27,200 26.56 K
hlp95en.dll Thu Jun 20 2002 3:22:42a A...R 31,744 31.00 K
hpzidr12.dll Sun Mar 9 2003 1:31:00p A...R 233,528 228.05 K
hpzipr12.dll Sun Mar 9 2003 1:31:02p A...R 167,936 164.00 K
hpzipt12.dll Sun Mar 9 2003 1:31:02p A...R 94,208 92.00 K
hpzisn12.dll Sun Mar 9 2003 1:31:02p A...R 57,344 56.00 K
lfbmp11n.dll Fri Jun 7 2002 3:02:00a A...R 36,864 36.00 K
lfcmp11n.dll Fri Jun 7 2002 3:02:00a A...R 285,184 278.50 K
lfeps11n.dll Fri Jun 7 2002 3:02:00a A...R 31,232 30.50 K
lffax11n.dll Fri Jun 7 2002 3:02:00a A...R 81,408 79.50 K
lfgif11n.dll Fri Jun 7 2002 3:02:00a A...R 41,472 40.50 K
lfpcd11n.dll Fri Jun 7 2002 3:02:00a A...R 26,112 25.50 K
lfpcx11n.dll Fri Jun 7 2002 3:02:00a A...R 33,280 32.50 K
lfpng11n.dll Fri Jun 7 2002 3:02:00a A...R 172,032 168.00 K
lfpsd11n.dll Fri Jun 7 2002 3:02:00a A...R 56,320 55.00 K
lftga11n.dll Fri Jun 7 2002 3:02:00a A...R 27,648 27.00 K
lftif11n.dll Fri Jun 7 2002 3:02:00a A...R 152,064 148.50 K
lfwmf11n.dll Fri Jun 7 2002 3:02:00a A...R 59,392 58.00 K
ltdis11n.dll Fri Jun 7 2002 3:02:00a A...R 262,656 256.50 K
ltfil11n.dll Fri Jun 7 2002 3:02:00a A...R 118,784 116.00 K
ltimg11n.dll Fri Jun 7 2002 3:02:02a A...R 127,488 124.50 K
ltkrn11n.dll Fri Jun 7 2002 3:02:02a A...R 392,192 383.00 K
ltwvc11n.dll Fri Jun 7 2002 3:02:02a A...R 716,288 699.50 K
msls2.dll Thu Jun 20 2002 3:19:12a A...R 91,136 89.00 K
ochlp30e.dll Thu Jun 20 2002 3:19:18a A...R 37,888 37.00 K
pcdlib32.dll Fri Jun 7 2002 3:02:02a A...R 212,480 207.50 K
wdmf.dll Sat May 1 2004 4:13:36p ....R 57,344 56.00 K

27 items found: 27 files, 0 directories.
Total of file sizes: 3,631,224 bytes 3.46 M

No matches found.
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\CTL3DV2.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HLP95EN.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZIDR12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPR12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPT12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZISN12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFBMP11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFCMP11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFEPS11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFFAX11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFGIF11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPCD11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPCX11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPNG11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPSD11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFTGA11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFTIF11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFWMF11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTDIS11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTFIL11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTIMG11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTKRN11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTWVC11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MSLS2.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OCHLP30E.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\PCDLIB32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDMF.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\HEWLET~1\HPZSCR07.DLL

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group NOTEBOOK\None.
User is a member of group \Everyone.
User is a member of group NOTEBOOK\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\N8 and E
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: NOTEBOOK\N8 and E

Primary Group: NOTEBOOK\None



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
10:45pm up 0 days, 1:52

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-16-2004 winbackup.hiv
A C:\Beta-Fix\keys1\winkey.reg
--a-- - - - - - 632 06-16-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLsanti└   C
Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
AppInit
DLLsanti

**File C:\Beta-Fix\WIN.TXT
**File C:\Beta-Fix\WIN.TXT
            đ   vk  Ó   └UDeviceNotSelectedTimeout­   1 5  @  ░ đ   vk  Ç'   zGDIProcessHandleQuota"■­   9 0  ?Ş| Ó   vk  X   ░║Spooler2­   y e s ╚n Ó   vk  Ç   =pswapdisk ░ ° 8 h á đ   vk  (   R┐TransmissionRetryTimeoutđ   vk  Ç'   R USERProcessHandleQuota\ Ó   ░ ° 8 h á đ  ě   vk : H   AppInit_DLLsanti└   C : \ W I N D O W S \ S y s t e


#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 17 June 2004 - 03:52 AM

Ok..
Open the Beta-Fix\Keys1< Subfolder.
RightClick on the "MOVEit.bat" file, select>edit.
Copy and paste this line into the blank file:

move %WinDir%\System32\WDMF.DLL %SystemDrive%\junkxxx\WDMF.DLL

Save the file and close.

Get ready to restart!
In the same folder, DoubleClick on the -->"FIX.BAT" file.
You will get an alert of~20 secs before reboot.
Allow it to reboot!

On restart, Open the Beta-Fix main folder and
DoubleClick on the ->"RESTORE.BAT" file!
It should run and generate new log!
Post it here! :)

Edited by freeatlast, 17 June 2004 - 03:56 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 quattromax

quattromax

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 05:01 AM

Hello, I have the same problem, like winguey the page about:blank in my internet explorer....also I tryed evrything to get it out of my computer...hijack this, cwshredder, ad-aware and so on...
I read this from freeatlast and also downloaded allready the beta-fix programm and now this is the result:

Microsoft Windows 2000 [Version 5.00.2195]
Der Typ des Dateisystems ist NTFS.
C: ist nicht fehlerhaft.

11:42am up 0 days, 0:35
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗Special 'locked' files scan in 'System32'........
**File C:\Beta-Fix\LIST.TXT

***This list may contain legitimate files!***
╗╗╗LIST OF ALL FILES IN SYSTEM32 WITH 'R;H;S' Attributes:╗╗╗
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\WINNT\SYSTEM32\
a3d.dll Wed 14 Jul 1999 3:20:00 A...R 28.672 28,00 K
ctl3dv2.dll Tue 8 May 2001 14:00:00 A...R 27.200 26,56 K
mfc42d.dll Mon 3 Nov 1997 19:43:54 ....R 1.390.080 1,32 M
mfcd42d.dll Wed 19 Jun 1996 9:02:44 ....R 258.560 252,50 K
mfcn42d.dll Wed 19 Jun 1996 9:02:50 ....R 31.232 30,50 K
mfco42d.dll Wed 19 Jun 1996 9:02:32 ....R 777.728 759,50 K
msvcirtd.dll Fri 14 Jun 1996 20:37:26 ....R 90.624 88,50 K
msvcr40d.dll Mon 19 Feb 1996 17:05:22 ....R 444.928 434,50 K
msvcrtd.dll Wed 17 Jun 1998 18:25:00 ....R 385.100 376,07 K
synsoacc.dll Sun 2 Jun 2002 16:29:48 A...R 73.216 71,50 K

10 items found: 10 files, 0 directories.
Total of file sizes: 3.507.340 bytes 3,34 M

No matches found.
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\A3D.DLL
Sniffed -> C:\WINNT\SYSTEM32\CTL3DV2.DLL
Sniffed -> C:\WINNT\SYSTEM32\MFC42D.DLL
Sniffed -> C:\WINNT\SYSTEM32\MFCD42D.DLL
Sniffed -> C:\WINNT\SYSTEM32\MFCN42D.DLL
Sniffed -> C:\WINNT\SYSTEM32\MFCO42D.DLL
Sniffed -> C:\WINNT\SYSTEM32\MSVCIRTD.DLL
Sniffed -> C:\WINNT\SYSTEM32\MSVCR40D.DLL
Sniffed -> C:\WINNT\SYSTEM32\MSVCRTD.DLL
Sniffed -> C:\WINNT\SYSTEM32\SYNSOACC.DLL

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright ę 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read VORDEFINIERT\Benutzer
(IO) ALLOW Read VORDEFINIERT\Benutzer
(NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(NI) ALLOW Full access VORDEFINIERT\Administratoren
(IO) ALLOW Full access VORDEFINIERT\Administratoren
(NI) ALLOW Full access NT-AUTORITÄT\SYSTEM
(IO) ALLOW Full access NT-AUTORITÄT\SYSTEM
(NI) ALLOW Full access VORDEFINIERT\Administratoren
(IO) ALLOW Full access ERSTELLER-BESITZER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Full access VORDEFINIERT\Benutzer
Full access VORDEFINIERT\Hauptbenutzer
Full access VORDEFINIERT\Administratoren
Full access NT-AUTORITÄT\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group CAD\Kein.
User is a member of group \Jeder.
User is a member of group VORDEFINIERT\Administratoren.
User is a member of group VORDEFINIERT\Benutzer.
User is a member of group \LOKAL.
User is a member of group NT-AUTORIT─T\INTERAKTIV.
User is a member of group NT-AUTORIT─T\Authentifizierte Benutzer.

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Jeder

Owner: VORDEFINIERT\Administratoren

Primary Group: CAD\Kein



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
11:44am up 0 days, 0:37

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-17-2004 winbackup.hiv
A C:\Beta-Fix\keys1\winkey.reg
--a-- - - - - - 287 06-17-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
DeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota

**File C:\Beta-Fix\WIN.TXT
       
**File C:\Beta-Fix\WIN.TXT
        Ó   đ ° @ p á └  ě   vk  Ç   AppInit_DLLs đ   vk  (   DeviceNotSelectedTimeoutŔ   1 5  h§ ░§ Ŕ§ đ   vk  Ç'   GDIProcessHandleQuota Ó   vk  ?   Spooler ­   y e s Ó   vk  Ç   swapdiskđ   vk  ­   TransmissionRetryTimeout­   9 0  `° đ   vk  Ç'   USERProcessHandleQuota đ     


How to go on now??Please help me!

Sorry my english...I┤m german, but the problems may all the same....

Edited by quattromax, 17 June 2004 - 05:07 AM.


#9 wineguy

wineguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 10:59 PM

Thanks again for your help!

Here is the log from restore.bat:


8:56pm up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

*Locked files...
* result\\?\C:\junkxxx\WDMF.DLL

╗╗╗LIST OF ALL FILES IN SYSTEM32 WITH 'R;H;S' Attributes:╗╗╗
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\WINDOWS\SYSTEM32\
ctl3dv2.dll Thu Aug 29 2002 5:00:00a A...R 27,200 26.56 K
hlp95en.dll Thu Jun 20 2002 3:22:42a A...R 31,744 31.00 K
hpzidr12.dll Sun Mar 9 2003 1:31:00p A...R 233,528 228.05 K
hpzipr12.dll Sun Mar 9 2003 1:31:02p A...R 167,936 164.00 K
hpzipt12.dll Sun Mar 9 2003 1:31:02p A...R 94,208 92.00 K
hpzisn12.dll Sun Mar 9 2003 1:31:02p A...R 57,344 56.00 K
lfbmp11n.dll Fri Jun 7 2002 3:02:00a A...R 36,864 36.00 K
lfcmp11n.dll Fri Jun 7 2002 3:02:00a A...R 285,184 278.50 K
lfeps11n.dll Fri Jun 7 2002 3:02:00a A...R 31,232 30.50 K
lffax11n.dll Fri Jun 7 2002 3:02:00a A...R 81,408 79.50 K
lfgif11n.dll Fri Jun 7 2002 3:02:00a A...R 41,472 40.50 K
lfpcd11n.dll Fri Jun 7 2002 3:02:00a A...R 26,112 25.50 K
lfpcx11n.dll Fri Jun 7 2002 3:02:00a A...R 33,280 32.50 K
lfpng11n.dll Fri Jun 7 2002 3:02:00a A...R 172,032 168.00 K
lfpsd11n.dll Fri Jun 7 2002 3:02:00a A...R 56,320 55.00 K
lftga11n.dll Fri Jun 7 2002 3:02:00a A...R 27,648 27.00 K
lftif11n.dll Fri Jun 7 2002 3:02:00a A...R 152,064 148.50 K
lfwmf11n.dll Fri Jun 7 2002 3:02:00a A...R 59,392 58.00 K
ltdis11n.dll Fri Jun 7 2002 3:02:00a A...R 262,656 256.50 K
ltfil11n.dll Fri Jun 7 2002 3:02:00a A...R 118,784 116.00 K
ltimg11n.dll Fri Jun 7 2002 3:02:02a A...R 127,488 124.50 K
ltkrn11n.dll Fri Jun 7 2002 3:02:02a A...R 392,192 383.00 K
ltwvc11n.dll Fri Jun 7 2002 3:02:02a A...R 716,288 699.50 K
msls2.dll Thu Jun 20 2002 3:19:12a A...R 91,136 89.00 K
ochlp30e.dll Thu Jun 20 2002 3:19:18a A...R 37,888 37.00 K
pcdlib32.dll Fri Jun 7 2002 3:02:02a A...R 212,480 207.50 K

26 items found: 26 files, 0 directories.
Total of file sizes: 3,573,880 bytes 3.41 M

No matches found.
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗ Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\WDMF.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\CTL3DV2.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HLP95EN.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZIDR12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPR12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZIPT12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HPZISN12.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFBMP11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFCMP11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFEPS11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFFAX11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFGIF11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPCD11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPCX11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPNG11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFPSD11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFTGA11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFTIF11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LFWMF11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTDIS11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTFIL11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTIMG11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTKRN11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LTWVC11N.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MSLS2.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OCHLP30E.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\PCDLIB32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\HEWLET~1\HPZSCR07.DLL


Search text: ŢSTREAMINGDEVICESETUP2Ů «CASE Insensitive Match
Searching ==>C:\JUNKXXX\WDMF.DLL
Run Time(sec) 0
**File C:\JUNKXXX\WDMF.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

move %WinDir%\System32\WDMF.DLL %SystemDrive%\junkxxx\WDMF.DLL-ra-- W32i - - - - 57,344 05-01-2004 wdmf.dll
A R C:\junkxxx\WDMF.DLL
File: <C:\junkxxx\WDMF.DLL>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249





C:\JUNKXXX\
wdmf.dll Sat May 1 2004 4:13:36p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
C:\junkxxx\WDMF.DLL Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

BUILTIN\Administrators:F

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Permissions:
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NOTEBOOK\N8 and E
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: NOTEBOOK\N8 and E

Primary Group: NOTEBOOK\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\WDMF.DLL"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: NOTEBOOK\N8 and E

Primary Group: NOTEBOOK\None


---------- WIN.TXT
AppInit_DLLsanti└   C

---------- NEWWIN.TXT
AppInit_DLLsecteŞ
**File C:\Beta-Fix\NEWWIN.TXT
        ame=đ   vk  Ó   └UDeviceNotSelectedTimeout­   1 5  @  ░ đ   vk  Ç'   zGDIProcessHandleQuota"■­   9 0  ?Ş| Ó   vk  X   ░║Spooler2­   y e s ╚n Ó   vk  Ç   =pswapdisk ░ ° 8 h á đ   vk  (   R┐TransmissionRetryTimeoutđ   vk  Ç'   R USERProcessHandleQuota\ Ó   ░ ° 8 h á đ  ě   vk  Ç   S AppInit_DLLsecteŞ
**File C:\Beta-Fix\NEWWIN.TXT
00001338: 01 00 00 00 01 00 53 00 . 5F 44 4C 4C 73 65 63 74 ......S. _DLLsect
**File C:\Beta-Fix\NEWWIN.TXT
        ame=đ   vk  Ó   └UDeviceNotSelectedTimeout­   1 5  @  ░ đ   vk  Ç'   zGDIProcessHandleQuota"■­   9 0  ?Ş| Ó   vk  X   ░║Spooler2­   y e s ╚n Ó   vk  Ç   =pswapdisk ░ ° 8 h á đ   vk  (   R┐TransmissionRetryTimeoutđ   vk  Ç'   R USERProcessHandleQuota\ Ó   ░ ° 8 h á đ  ě   vk  Ç   S AppInit_DLLsecteŞ

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 17 June 2004 - 11:57 PM

Wonderful progress, 'wineguy'! :thumbsup:

Last step, open the Beta-Fix\Files2< Subfolder!
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses!

When done, Delete and entire beta-Fix file+folder(s)
And check if the C:\junkxxx folder is deleted as
well, otherwise delete it (I don't remember if
your version moved it as well since I updated since)

As for the remains, run any and all
removal tools once again as they should work properly now!
In particular, CWShredder and fully updated Ad-Aware!
Feel free to post follow up hijackthis log when done! :)
- - - - - - - - - - - -- - - - - - - - - - - -- - - - - - - - - - - -- - - - - - - - - - - -- - - - - - -

*Note to 'quattromax' above...
Your log doesn't expose any signs of the same infection.
I'm not certain if that's because you're running a
non-English version or windows or what's the actual status.
As opposed to 'jumping in' to someone else's thread, read
the FAQs above,. start your own topic and post your hijackthis log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 wineguy

wineguy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 June 2004 - 06:32 PM

Hallelujah and thank you so much. It appears to be gone and performance on my computer has improved 200%. Here is my follow up HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 4:30:35 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baronesswines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thank you once again. I could not have figured this out without you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button