• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Neves

I have some nasty hijacks.

21 posts in this topic

I am having trouble getting rid of Bestsearch, and aboutblank.. Theres a few others as well. I cleaned my system as the sticky said above. Here is my hijack..

 

BTW, my hijacks are really small for some reason, and I don't know why.. anyway here it is.

 

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\wintime.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\Hijacking Tools\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\abdhr.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1393F29F-3AD1-88F1-8182-7EBCC2149DC1} - C:\WINDOWS\msub.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {68864847-D4F5-48B9-BCB4-53B3DF1790D9} - C:\WINDOWS\System32\fkcoc.dll

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [atlxj32.exe] C:\WINDOWS\system32\atlxj32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe

O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D551744A-2BDC-48BF-BCDB-82B2248C7100}: NameServer = 63.64.9.11 63.64.9.19

Share this post


Link to post
Share on other sites

Please post a complete HiJackThis log. Your missing important header information.

 

Once the new log is posted we can continue.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:02:58 PM, on 6/21/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\wintime.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\Hijacking Tools\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1393F29F-3AD1-88F1-8182-7EBCC2149DC1} - C:\WINDOWS\msub.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {D5D489F4-33B7-4791-A43C-ABCE3B0047F2} - C:\WINDOWS\System32\cpned.dll

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [atlxj32.exe] C:\WINDOWS\system32\atlxj32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe

O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D551744A-2BDC-48BF-BCDB-82B2248C7100}: NameServer = 63.64.9.11 63.64.9.19

 

Is that what you were looking for? Sorry about that :(

Share this post


Link to post
Share on other sites

First:

Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.

 

Regedit /e appinit.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"

Start notepad.exe appinit.txt

exit

 

Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

 

Copy and paste the contents of that entire file in this thread.

 

 

Second:

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

O2 - BHO: (no name) - {1393F29F-3AD1-88F1-8182-7EBCC2149DC1} - C:\WINDOWS\msub.dll (file missing

 

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [atlxj32.exe] C:\WINDOWS\system32\atlxj32.exe

O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe

O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe

 

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

 

 

Close all windows except HijackThis and click Fix checked.

 

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\WINDOWS\system32\wintime.exe

C:\WINDOWS\system32\atlxj32.exe

C:\WINDOWS\rundll32.exe

C:\WINDOWS\System32\windll32.exe

 

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

**Show Hidden and System files and folders

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

 

Reboot in normal mode.

 

Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Alright here is my text document

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

 

 

Alright here is the new log

 

Logfile of HijackThis v1.97.7

Scan saved at 4:49:36 PM, on 6/23/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\hijackthis\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {D5D489F4-33B7-4791-A43C-ABCE3B0047F2} - C:\WINDOWS\System32\cpned.dll

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

Thanks!

Share this post


Link to post
Share on other sites

You have a CoolWebSearch variant which requires special treatment to fix.

 

Download Beta-Fix.exe from here: http://freeatlast.100free.com/

 

Double Click on the Beta-Fix.exe and it will install the batch file in its own folder.

 

Open the Beta-Fix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the Beta-Fix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the Beta-Fix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

Share this post


Link to post
Share on other sites

This is the log.txt

 

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Wed 06/23/2004

5:46pm up 0 days, 0:58

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\LOGKJK.DLL +++ File read error

\\?\C:\WINDOWS\System32\LOGKJK.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\Beta-Fix\LIST.TXT

LOGKJK.DLL Can't Open!

MSB.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

logkjk.dll Thu May 13 2004 9:45:22a A...R 57,344 56.00 K

msb.dll Wed Jun 16 2004 11:34:44a A...R 57,344 56.00 K

msxslab.dll Thu May 13 2004 8:39:18a ..SHR 1 0.00 K

 

3 items found: 3 files (1 H/S), 0 directories.

Total of file sizes: 114,689 bytes 112.00 K

 

C:\WINDOWS\SYSTEM32\

mfc42.dll Sat Aug 18 2001 12:36:20a ..SH. 995,383 972.05 K

msvcirt.dll Sat Aug 18 2001 12:36:26a ..SH. 50,688 49.50 K

msvcp60.dll Sat Aug 18 2001 12:36:26a ..SH. 401,462 392.05 K

msxslab.dll Thu May 13 2004 8:39:18a ..SHR 1 0.00 K

oleaut32.dll Sat Aug 18 2001 12:36:28a ..SH. 569,344 556.00 K

olepro32.dll Sat Aug 18 2001 12:36:28a ..SH. 106,496 104.00 K

 

6 items found: 6 files, 0 directories.

Total of file sizes: 2,123,374 bytes 2.02 M

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\LOGKJK.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\MSB.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\MSXSLAB.DLL

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access YOUR-ZE8CXVR8TT\Owner

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access YOUR-ZE8CXVR8TT\Owner

 

 

»»Member of...: (Admin logon required!)

User is a member of group YOUR-ZE8CXVR8TT\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-ZE8CXVR8TT\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-ZE8CXVR8TT\Owner

 

Primary Group: YOUR-ZE8CXVR8TT\None

 

 

 

»»»»»»Backups created...»»»»»»

5:47pm up 0 days, 0:59

Wed 06/23/2004

 

A C:\Beta-Fix\winBackup.hiv

--a-- - - - - - 8,192 06-23-2004 winbackup.hiv

A C:\Beta-Fix\keys1\winkey.reg

--a-- - - - - - 287 06-23-2004 winkey.reg

 

»»Performing 16bit string scan....

 

 

 

And I couldn't figure out how to attach stuff on this board so here is what the win.txt looks like

 

 

---------- WIN.TXT

ÿÿAppInit_DLLs:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

DeviceNotSelectedTimeout

isGDIProcessHandleQuota,

sHandl

Spooler

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota4

AppInit

DLLs:

 

**File C:\Beta-Fix\WIN.TXT

àÿÿÿvk € u swapdisk ¨ ð 0 ` ˜ Ðÿÿÿvk Q TransmissionRetryTimeoutÐÿÿÿvk €' e USERProcessHandleQuota4 àÿÿÿ¨ ð 0 ` ˜ È Øÿÿÿvk 8 @ ÿÿAppInit_DLLs: ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s b . d l l U €

Share this post


Link to post
Share on other sites

Please check for the presence of these three files and advised which you can find.

C:\WINDOWS\SYSTEM32\LOGKJK.DLL

C:\WINDOWS\SYSTEM32\MSB.DLL

C:\WINDOWS\SYSTEM32\MSXSLAB.DLL

 

 

If possible, Zip and email them to me:

email to: Submit AT LoPhatPhuud.com (replace AT with @)

Share this post


Link to post
Share on other sites

Okay well I searched for all three of these files. I was only able to find

 

C:\WINDOWS\SYSTEM32\LOGKJK.DLL

 

I am trying to zip it, but its giving me errors. I am going to send you, what I believe is the correct zip file but it may be wrong, because the only way it lets me zip the file is if I create a shortcut for it.

 

Anyway the other two did not show up at all on a search.

Share this post


Link to post
Share on other sites

OK, thanks and hang on. I am checking with an expert to verify my assumption of the file to remove first.

 

I will post back later tonite or tomorrow morning at the latest.

Share this post


Link to post
Share on other sites

=== Step 2 - Delete Hidden DLL ===

Open the Beta-Fix folder.

Open the keys1 folder.

RightClick on the MOVEit.bat file, select--> edit.

Copy and paste this line into the batch file, replacing the line there.

 

move %WinDir%\System32\MSB.DLL %SystemDrive%\junkxxx\MSB.DLL

 

Save the file and close.

 

Get ready to restart!

Still in the keys1 folder, double click on FIX.bat.

You will get an alert of ~20 secs before reboot.

Allow it to reboot!

 

On restart, Open the Beta-Fix folder.

DoubleClick on RESTORE.bat.

When it is finished, open the Beta-Fix folder.

Post the contents of Log1.txt in this thread

Share this post


Link to post
Share on other sites

Uhh I don't know whats going on.. I guess I will just email you my log1.txt file to you if thats fine.. It wont' letme post it on here for some reason.. Anyway I am getting ready to send it to you.

 

 

Wed 06/23/2004

8:35pm up 0 days, 0:01

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

*Locked files...

The system cannot execute the specified program.

The system cannot execute the specified program.

 

»»»Filtering files in System32.......( 'R;H;S') »»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

 

move %WinDir%\System32\MSB.DLL %SystemDrive%\junkxxx\MSB.DLL

-ra-- W32i - - - - 57,344 06-16-2004 msb.dll

A R C:\junkxxx\MSB.DLL

File: <C:\junkxxx\MSB.DLL>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

»»Permissions:

C:\junkxxx\MSB.DLL Everyone:(special access:)

SYNCHRONIZE

FILE_EXECUTE

 

BUILTIN\Administrators:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-ZE8CXVR8TT\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-ZE8CXVR8TT\Owner

 

Primary Group: YOUR-ZE8CXVR8TT\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

File "C:\junkxxx\MSB.DLL"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: YOUR-ZE8CXVR8TT\Owner

 

Primary Group: YOUR-ZE8CXVR8TT\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows

NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and

above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access YOUR-ZE8CXVR8TT\Owner

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access YOUR-ZE8CXVR8TT\Owner

 

 

 

---------- WIN.TXT

ÿÿAppInit_DLLs:

 

---------- NEWWIN.TXT

AppInit_DLLsecteÀ

Share this post


Link to post
Share on other sites

As you can see, I have the log file. Thank you.

 

These entries:

*Locked files...

The system cannot execute the specified program.

The system cannot execute the specified program.

 

 

Have me concerned so I am checking before we go further.

 

Check to see if you can now delete this file:

C:\WINDOWS\SYSTEM32\MSXSLAB.DLL

 

Be sure you can see Hidden and System files.

Share this post


Link to post
Share on other sites

Great, you should also be able to find and delete this one:

C:\WINDOWS\SYSTEM32\LOGKJK.DLL

 

 

Then:

=== Step 3 Cleanup ===

Open the Beta-Fix folder.

Open the Files2 folder.

Double Click on the ZIPZAP.bat.

 

It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

 

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

 

Please be sure to include a link to your log file in the email.

 

When done, please delete the entire Beta-Fix folder.

 

=== Clean Remaining Infection ===

Please Download CoolWebShredder, from

http://www.merijn.org/files/cwshredder.zip

http://www.zerosrealm.com/downloads/CWShredder.zip

 

Extract CWShredder to its own folder,

Click the 'Fix ->' button.

Make sure you let it fix all CWS Remnants.

 

Next:

Download the latest version of Ad-Aware at

http://www.lavasoft.de/software/adaware/

 

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

 

Select 'custom options'.

Select your drive, scan and fix all it finds.

 

Last:

Post a new HiJackThis log in this thread.

Share this post


Link to post
Share on other sites

I found that file logjk.dll but it says that I cannot delete because access is denied. Should I just try to delete it in safe mode? Here is the exact message is gives me

 

 

Cannot Delete logjkj: Access is denied

Make sure the disk is not full or write protected

and the file is currently not into use

Share this post


Link to post
Share on other sites

Okay nevermind... I created a folder on desktop moved the logfile into that folder then deleted the folder. I can't find the logfile anymore so I guess its gone.. I will do the above steps now

Share this post


Link to post
Share on other sites

Okay once again Internet Explorer is acting all buggy and won't let me post a bunch of stuff on this forum so I am going to send the logfile toyou.

Share this post


Link to post
Share on other sites

Okay its sent..

 

Logfile of HijackThis v1.97.7

Scan saved at 1:10:56 PM, on 6/24/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\explorer.exe

C:\Program Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D551744A-2BDC-48BF-BCDB-82B2248C7100}: NameServer = 63.64.9.11 63.64.9.19

Edited by LoPhatPhuud

Share this post


Link to post
Share on other sites

That looks nice and clean.

 

If the log was done in Safe Mode, reboot and try to post one from Normal Mode.

 

You may want to install Firefox 0.9; its a nice browser. I keep it installed to have an alternative, just in case.

 

 

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: YOU NEED TO DO THIS

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

 

2. Download and install the following free programs]

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

 

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.

 

Everyone else having a similar issue, please launch a new topic for yourselves.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0