Jump to content


Photo

Unusual About:Blank Hijack


  • Please log in to reply
15 replies to this topic

#1 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 June 2004 - 11:33 PM

I normally have my home page set to about:blank and this is the page that has been hijacked. When I open IE, the URL displays about:blank as usual, but the page is titled "Search for..." There are no identifying markings at all on the page that might identify the hijack(er).

CWShredder (and ocassionally, Ad-Aware and Spybot S&D) provides a temporary fix, but the hijack recurs at unpredictable, irregular intervals; sometimes after restart, sometimes before restart, sometimes after a week without recurring. CWShredder no longer consistently restores the about:blank page, but when I run it, the item that shows up as "removed" is CWS.Searchx

I was tolerating the hijacked page as it didn't seem to do much else, but then today, I was browsing amazon.com or ebay or something and a link to an item opened a porn site, after working properly only moments earlier. After clicking the back button, the same link worked properly again (no porn). This happened again later in the day with a different link, so I've concluded something is wrong now beyond the hijack.

At one point, the recurring hijacker was accompanied by pop-up ads, but this lasted only a day or two, that was fixed I believe by Trojan Hunter.

There is also a Casino program that I think may still be in registry to run on startup, though I think I've gotten rid of the program itself.

Hijack This doesn't seem to turn up anything except the R1 and R3 which I've tried repeatedly to fix, but which remain on the list whenever I scan.

Hijack This Log:
Logfile of HijackThis v1.97.7
Scan saved at 12:03:58 AM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
C:\security programs\softwin\bitdefender free edition\bdnagent.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\notepad.exe
C:\Security Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Security Programs\SpybotSD\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BDMCon] c:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\security programs\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [Winsonar] C:\Security\Winsonar\winsonar.exe
O4 - HKLM\..\Run: [THGuard] "C:\Security Programs\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macr...director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macr...ash/swflash.cab

Edited by goblank, 17 June 2004 - 01:34 AM.


#2 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 June 2004 - 12:32 AM

Just posting to move this back up in the queue.

#3 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 01:37 AM

After a 48 hour hiatus, the hijack recurred again, this time with pop-ups. The pop-ups only come when I open a new browser window, and they usually warn me of spyware on my computer.

#4 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 04:21 PM

I revised the original post yesterday for clarity and removed the source file, which took up a lot of space and might not have been any help anyway.

Additional info:

Current situation is that it's recurring more frequently and also the porn sites still open every now and then when I'm on websites like Amazon.com and Zappos.com

Every time I try to search a flight on the Air Greenland website, it happens as well.

The problem seemed to get much worse a couple days ago, and I saw an unfamiliar process running, so I ran a search of newly created files and found three suspicious files:

RS.EXE-130CD96B.pf
WUR.EXE-33D4508F.pf
TTUH.EXE-261AD241.pf

The ttuh.exe was running as a process, but I hadn't seen it before.

I don't know if that helps at all.

Edited by goblank, 19 June 2004 - 07:56 PM.


#5 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 19 June 2004 - 10:12 PM

Download the following: (freeware)
'Find-All.zip' from:
http://www10.brinkst...last/pvtool.htm

Unzip 'Find-All.zip' to its own folder.


Open the Find-All folder and double click on Find-All.cmd
IMPORTANT!: Before you run this tool please close ALL running programs and ALL Windows except Find-All.

Answer the alerts then sit back and wait a few minutes while the program collects the necessary information.

*Note: If your Antivirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the Find-All folder.
1. Post the contents of Output.txt in this thread.
2. Attach file Windows.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the windows.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#6 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 June 2004 - 01:14 AM

There doesn't seem to be a way to attach the file (sorry), so the content of the windows.txt file is posted beneath the content of the output.txt file.

Another strange thing happened earlier today, which might not be related, but I'll mention anyway just in case it is. Notepad.exe couldn't be found in it's c:\windows location and so notepad documents wouldn't open. I went and found notepad.exe in the i386 folder and copied it to the windows folder, but it still didn't work. Then I saw that there was a notepad.exe.bak file in the windows folder and I removed the .bak extension and then everything ran fine again. Any idea what could have caused this?

OUTPUT:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *10.1 -6/10 @@@***==--

»»»»»»Find-All recent updates:»»»»»»
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view »»Group/user section)


Sun Jun 20 02:00:05 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (90EC:5541) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 14 308 392 960 [13G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-19-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
2:00am up 0 days, 0:10

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\KBD.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBD.DLL +++ File read error

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Tasks (services):
0 System Process
4 System
392 SMSS.EXE
608 CSRSS.EXE Title:
632 WINLOGON.EXE Title: NetDDE Agent
676 SERVICES.EXE Svcs: Eventlog,PlugPlay
688 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
852 SVCHOST.EXE Svcs: RpcSs
896 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
gon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w
32time,winmgm
1056 SVCHOST.EXE Svcs: Dnscache
1068 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1436 SPOOLSV.EXE Svcs: Spooler
1556 mcvsrte.exe Svcs: MCVSRte
1668 xcommsvr.exe Svcs: XCOMM
1748 bdss.exe Svcs: bdss
160 McShield.exe Svcs: McShield
532 explorer.exe Title: Program Manager
932 hkcmd.exe Title:
968 DSentry.exe Title: DVDSentry
980 mm_tray.exe Title: Music Match Tray Applet
940 mcagent.exe Title: McAgent_Main_Hidden_Window
1080 Directcd.exe Title: DirectCD
1128 mcvsshld.exe Title: ##VSO###MCVSSHLD##
1148 bdmcon.exe Title:
1160 bdnagent.exe
1168 THGuard.exe Title:
1180 jusched.exe Title: OleMainThreadWndName
1204 wcescomm.exe Title: DccMan
1248 AIRPLUS.exe Title: TI Wireless LAN Monitor
1296 DLG.exe Title: Digital Line Detect
132 wuauclt.exe Title: Auto Update Client Window
3748 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
1944 NTVDM.EXE
2548 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 504

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5626

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\System32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [SVIDD\Svidd], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group SVIDD\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
SVIDD\Svidd:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
C:\WINDOWS\System32\Drivers\etc\hosts
----- - - - - - 163,921 06-19-2004 hosts
------
»»Rehash:

»Strings found:

Sun Jun 20 02:00:19 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-20-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-20-2004 findallappinit.reg
A C:\SECURI~1\Find-All\Find-All\winBackup.hiv
A C:\SECURI~1\Find-All\Find-All\Fileslist\copyhosts.txt
A C:\SECURI~1\Find-All\Find-All\Fileslist\drivers.txt
A C:\SECURI~1\Find-All\Find-All\Fileslist\modules.txt
A C:\SECURI~1\Find-All\Find-All\Fileslist\services.txt
A C:\SECURI~1\Find-All\Find-All\Fileslist\windows.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



WINDOWS.TXT:
regf       Pugf hbin  ¨˙˙˙nk, č›9fß Ä ˙˙˙˙ ˙˙˙˙˙˙˙˙ đ x ˙˙˙˙ 0 8 0 0  Windows ˙˙˙sk x x  Ô  „¸ Č   ¤       !  €  !  ?          ?               Ř˙˙˙vk 8 ?   fůAppInit_DLLsÖ?ćGŔ˙˙˙c : \ w i n d o w s \ s y s t e m 3 2 \ k b d . d l l . e  h Đ˙˙˙vk     ŔUDeviceNotSelectedTimeoutđ˙˙˙1 5  ( đ˙˙˙9 0  ë=tŔĐ˙˙˙vk  €'   zGDIProcessHandleQuota"ţŕ˙˙˙vk  x   °şSpooler2đ˙˙˙y e s
Ń_ĺ h Ř ( X   ŕ˙˙˙vk  €   5swapdiskĐ˙˙˙vk     . TransmissionRetryTimeoutŕ˙˙˙h Ř ( X   Ŕ  Đ˙˙˙vk  €'   b USERProcessHandleQuota3 Ŕ

#7 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 01:55 AM

=== Unlock and Show Hidden dll ===
Download the following: (freeware)
'Salamand.zip' from:
http://www10.brinkst...last/pvtool.htm

Download 'Registrat Lite' from here:
http://www.resplendence.com/reglite

Download the attached 'FixReg.zip'

Unzip 'Salamand.zip' to its own folder.

Install 'Registrar Lite'.

Unzip 'FixReg.zip' to the Desktop.

Now we are going to get rid of the hidden DLL that is causing all the problems.

First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of Reglite)

Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\KBD.DLL < -- delete this line ,
'Apply' and 'ok' to set.

Rename the NotWindows folder back to its original name Windows

Restart your computer.


=== Locate, Move, and Delete Hidden dll ===
Run Salamand.exe.

Using the Menu Items at the top, do the following:
(wherever 'enter' is used, you may cut and paste the bold faced text instead)
a. Left --> Change Drive --> select 'C:'
b. Right --> Change Drive --> select 'C:'
c. Commands --> Create Directory --> enter junk --> press 'OK'
d. Options --> Command Line (be sure it is checked)
e. Commands --> Change Directory --> enter C:\windows\system32 --> press 'OK'
f. Commands --> Find Files… --> press 'Edit'; in 'Search For' enter KBD.DLL, Uncheck 'Include subdirectories', press 'OK', press 'Start'; the file will be listed in the lower pane.
g. Press 'Focus'
h. Files --> Move/Rename --> enter c:\junk, press 'OK'
i. Left --> Change Drive --> select 'C:'

Into the narrow command window at the bottom (starts with 'c:\>')
Copy and paste the following command, then press 'Enter'

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f
(you should get 'Processed…' confirmation message)

Copy and paste the following command, then press 'Enter'
attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111
(there should be no confirmation message)

In the left pane:
a. Click on the 'junk' folder
b. Files --> Delete, press 'Yes'


Open the 'FixReg' folder.
Double Click on the 'FixReg.bat' file.
Post the 'last.txt' to this thread.

Open the 'Find-All' folder
Double Click on 'Find-All.bat'
Post the 'output'txt' in this thread.


=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.or.../cwshredder.zip
http://www.zerosreal.../CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp....dref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

Last:
Post a new HiJackThis log in this thread.

Attached Files


IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#8 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 June 2004 - 03:21 AM

Encountered a problem. Got up to step f and after pressing Start, the file does not show up in the lower pane and so I also don't have the options to press Focus.

Also, I read through the rest of the instructions...I already have CWShredder and Ad-Aware (most recent version and build) and I check for updates every time I run each. It's not necessary to download and install them again, is it?

#9 Soli

Soli

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 04:02 AM

»»NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-19-2004 notepad.exe


pretty sure there is not a new version of notepad out there.
I just had a CSW variant that renamed my notepad.exe and replaced it with a trojan like virus.
search your computer for notepad.* and see if there are some notepad.bak if so run spybot search&destroy, it will find a registry link to a .txt file. then delete your notpad.exe and the notepad prefetch file, replace with the .bak ones by renaming them to original names, run ad-aware, reboot, should be ok

#10 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 01:28 PM

GoBlank,

Please post new HiJackThis log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#11 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 June 2004 - 06:00 PM

Do you think it might have worked even though I couldn't complete the instructions?

Logfile of HijackThis v1.97.7
Scan saved at 6:57:23 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\security programs\softwin\bitdefender free edition\bdnagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\securi~1\softwin\bitdef~1\bdmcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMJB.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Security Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Security Programs\SpybotSD\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BDMCon] c:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\security programs\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [Winsonar] C:\Security\Winsonar\winsonar.exe
O4 - HKLM\..\Run: [THGuard] "C:\Security Programs\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Svidd\Application Data\ttuh.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#12 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 06:44 PM

The cause of the infection has been rmeoved. We were in the process of deleting the hidden dll which now should be visible.

We still have cleanup left and I will do it with HiJackThis and a two reg fixes.

First:
Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Second:
Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]


Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Svidd\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Svidd\Application Data\ttuh.exe

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab


Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\CasinoOnline\ <-- delete folder
C:\Documents and Settings\Svidd\Application Data\ttuh.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#13 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 June 2004 - 07:17 PM

I could not find the CasinoOnline folder or the ttuh.exe file in either Safe Mode or Normal Mode.

C:\Program Files\CasinoOnline\ <-- delete folder
C:\Documents and Settings\Svidd\Application Data\ttuh.exe

I also ran a search (including hidden files), which did not find them.

Does hiding protected operating sytem files help against malware, etc. or does it just provide protection against me accidentally doing something to it? I usually leave it all unhidden.

Logfile of HijackThis v1.97.7
Scan saved at 8:16:46 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
C:\security programs\softwin\bitdefender free edition\bdnagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Security Programs\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Security Programs\SpybotSD\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BDMCon] c:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\security programs\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [Winsonar] C:\Security\Winsonar\winsonar.exe
O4 - HKLM\..\Run: [THGuard] "C:\Security Programs\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#14 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 20 June 2004 - 08:10 PM

Ouch. I opened a new IE window and it just recurred. I ran HijackThis to see if maybe anything had changed. Then I opened another window and about:blank was back to normal. Here's the log if it helps:

Logfile of HijackThis v1.97.7
Scan saved at 9:10:14 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
C:\security programs\softwin\bitdefender free edition\bdnagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Security Programs\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Security Programs\SpybotSD\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BDMCon] c:\SECURI~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\security programs\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [Winsonar] C:\Security\Winsonar\winsonar.exe
O4 - HKLM\..\Run: [THGuard] "C:\Security Programs\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#15 goblank

goblank

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2004 - 02:01 AM

I'm going to be out of town, but further assistance would still be appreciated, I'll follow your next instructions upon my return.

Also, maybe this will help with diagnosis:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP278\A0036730.exe=>(Embedded EXE o) Suspect Trojan.Downloader.Small.Gen
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP278\A0036730.exe=>(Embedded EXE o) Disinfection failed
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP278\A0036730.exe=>(Embedded EXE o) Move failed

It's an embedded exe that my antivirus never manages to disinfect...when I ran my antivirus again a day or two ago, I remembered it was still there.

#16 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 23 June 2004 - 12:38 PM

Your last log was clean.

The Trojan problem is in your system restore volume and you will ahve to reset it to clear the issue.

One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

2. Download and install the following free programs]
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: http://www.staff.uiu...es/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button