• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
youngpack

res://wjetn.dll/index.html#37049--help needed

60 posts in this topic

i've followed the steps--CWshredder, pandasoftware virus scan, adware, spybot, trojan hunter (trial), and now this--i've been hijacked to several versions of the res://*****.dll/index.html#37049 and it keeps coming back

 

IE is running VERY slow and it's bogging down everything. I'm not the most computer literate person, but I'll follow whatever instructions you folks might have.

 

thanks for your help mates!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:33:30 AM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\sdkwp.exe

C:\WINDOWS\system32\nettt32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wjetn.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wjetn.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wjetn.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wjetn.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wjetn.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wjetn.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {795BB343-30B6-2B4F-FA68-F174D498229E} - C:\WINDOWS\system32\netey.dll

O4 - HKLM\..\Run: [nettt32.exe] C:\WINDOWS\system32\nettt32.exe

O4 - HKLM\..\RunOnce: [sdkwp.exe] C:\WINDOWS\system32\sdkwp.exe

Share this post


Link to post
Share on other sites

i've been messing around trying different things and it switched up the page address that i get hijacked too....here is the latest info.--i won't mess around with it anymore.

 

thanks!

 

Logfile of HijackThis v1.97.7

Scan saved at 2:59:19 PM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ntwt.exe

C:\WINDOWS\system32\sdkwp.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pnzrn.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pnzrn.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pnzrn.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pnzrn.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pnzrn.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pnzrn.dll/sp.html#37049

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {1204A789-0139-F9B1-BF9E-4BECFF8288F8} - C:\WINDOWS\d3rc.dll

Share this post


Link to post
Share on other sites

I've also been hit with something similar. Home page is currently set to res://skyhg.dll/index.html#23851

 

however this changes regulary. I've tried CWS removal tools, HJT, Registry Heal, Adware, PC Cillin Virus Scan, and nothing can remove this extremely frustating piece of dispicable rubbish.

 

I've noticed the BHO that keeps coming back is

 

O2 - BHO: (no name) - {B756513C-B2A5-1805-60FF-E40570DBC936} - C:\WINDOWS\crqa.dll

 

I've tried deleting the file crqa.dll from C:\WINDOWS but it just keeps coming back a few seconds after I delete it. Reading the file with notepad apart from a load of unreadable text, the following is contained within the file

 

KERNEL32.DLL ADVAPI32.dll ATL.DLL ole32.dll OLEAUT32.dll SHELL32.dll SHLWAPI.dll USER32.dll WININET.dll LoadLibraryA GetProcAddress RegOpenKeyA CLSIDFromString SHGetSpecialFolderPathA SHDeleteKeyA IsWindow InternetOpenA IEPlugin.DLL DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer _f _key ð -9

 

Dunno if that means anything to anyone? Please help.. PS, I will post my log file here is it's ok with the original poster.

Share this post


Link to post
Share on other sites

Just noticed from your log file youngpack you share a similar BHO

 

O2 - BHO: (no name) - {1204A789-0139-F9B1-BF9E-4BECFF8288F8} - C:\WINDOWS\d3rc.dll

 

mine is

 

O2 - BHO: (no name) - {B756513C-B2A5-1805-60FF-E40570DBC936} - C:\WINDOWS\crqa.dll

 

It's obviously the same damn malware. Lets hope we can get it sorted!

Edited by CaleI

Share this post


Link to post
Share on other sites

i personally don't care if you post your log file on this thread, but i think the people that run it prefer to keep everything separate to keep down the confusion......

Share this post


Link to post
Share on other sites

At the top of the page it is written in big bold red letter to NOT post logs into some one else's thread but to start your own. Please follow that rule as it helps keep confusion minimal and makes helping a lot easier.

 

Than you.

Share this post


Link to post
Share on other sites

Younpack - Your HijackThis log has been truncated - Please repost it in its entirety.

Share this post


Link to post
Share on other sites

To be on the safe side, please post your log and I will confirm that it is clean for you - Before posting it, reboot one more time then run HijackThis and post the resulting ogo.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 5:43:44 PM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

Share this post


Link to post
Share on other sites

You have no running programs, loading information etc which means that your mouse, sound, etc may not work. Did you remove all the entries from HijackThis? If so, you need to restore them before you power cycle your computer.

Share this post


Link to post
Share on other sites

well...it came back. i was clean (i thought) through multiple reboots and much use of IE. I almost think it came back after midnight when the date changed????

 

i'm not very familiar with "hijackthis" so all i do is click on it to scan and then i saved the results and pasted them here. is this the information that you need, or do i need to put 'hijackthis" into a different mode or something???? (like i said, i'm not the most computer literate guy in the world, but i'm trying to learn.... :wtf:

 

thanks again--i sure hope i can get this mess off....

 

Logfile of HijackThis v1.97.7

Scan saved at 12:39:04 AM, on 6/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {C7DD08CB-5769-4BED-AB96-61735A168181} - C:\WINDOWS\System32\cceo.dll

Share this post


Link to post
Share on other sites

When the window (Notepad) comes up with the log in it, can you click on "Edit" => "Select All" => "Edit" => "Copy" and post the results here, from the looks of your post, it is missing the bottom half of the log.

Share this post


Link to post
Share on other sites

that is all that is logged for me...???? it doesn't even fill up one page in the notepad. i did the "select all" feature and everything. i will try to download hijackthis again and try it again. any other ideas why only that much info. shows up???

Share this post


Link to post
Share on other sites

Reboot into Safe mode - How do I boot into "Safe" mode?

 

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {C7DD08CB-5769-4BED-AB96-61735A168181} - C:\WINDOWS\System32\cceo.dll

 

Reboot normally.

 

As to why you have so few entries??? I do not know - Have you run HijackThis before? Did you mark anything for deletion? Is your system running okay? Is it a new install?

Share this post


Link to post
Share on other sites

i just realized why i have so few entries...i HAVE run hijack this before...this was when i first was infected with the "res" virus which has now changed to the "about blank" virus. I checked ALL the boxes and had them all fixed. Seems as if I've made a mistake. My computer still works fine, but I just can't seem to shake the "about blank" web page that I am hijacked too frequently.

 

Here is my latest log.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:11:16 AM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {C38DBFC1-84EE-4087-A0E3-7DFC1F24DFFA} - C:\WINDOWS\System32\fmdfb.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

Share this post


Link to post
Share on other sites

i've now done adware, cwshredder and hijack this all in "safe" mode...i've switched back to normal mode and this is what i get for my log.

 

the IE hasn't been re-hijacked to "about this", but it's done this before and gone back to the same thing after some use of the computer.

 

does everything look clean and if so, why does it keep coming back???? is there anything else i can do?

 

thanks for your help and sorry for the delay in response....i was out of town at the end of last week through the weekend.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:44:29 AM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Share this post


Link to post
Share on other sites

What I would do at this point - Run HijackThis, Click on "Config" in the bottom right corner. Click on "Backups" near the top and you should see everything listed. RESTORE ALL lines, everything - This will put some of the spyware back. Reboot. Post a HijackThis log and we will start from the beginning and clean it up properly for you.

Share this post


Link to post
Share on other sites

ok--i've retored all of the old backups....here's what I got:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:10:26 AM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AIM\aim.exe

C:\HJT.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\WxBugSetup505_AIM_2.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {C38DBFC1-84EE-4087-A0E3-7DFC1F24DFFA} - C:\WINDOWS\System32\fmdfb.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\Owner\LOCALS~1\Temp\MiniBug.exe 1

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

i get a "program not found" window for NOTEPAD.EXE message...

 

it asks me to: "type in the executeable file to be used instead"

 

i have notepad obviously b/c i'm able to post the hijackthis log. I don't know what the problem is....any ideas?

Share this post


Link to post
Share on other sites

You should have two copies of notepad on your computer - One in c:\windows and one in c:\windows\system32. Find either, right click and select properties - The size should be 64.5 KB (66,048 bytes). Copy the one over to the other directory so that you have two again.

Share this post


Link to post
Share on other sites

you really know your stuff!!! i followed your instructions and this is the result. thanks again for your expertise, i'd certainly be lost w/o it.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Mon 06/28/2004

11:52am up 0 days, 0:44

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\D3DNC.DLL +++ File read error

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

D3DNC.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group BIGDADDY\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

Service search: '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName SUCCESS

Name = __NS_Service_3

[sC] GetServiceDisplayName SUCCESS

Name = Network Security Service

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIGDADDY\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BIGDADDY\Owner

 

Primary Group: BIGDADDY\None

 

 

 

»»»»»»Backups created...»»»»»»

11:53am up 0 days, 0:45

Mon 06/28/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-28-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-28-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsm

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotan

AppInit

DLLsm

PQWSV

$%&'()*

-./012%0

3456789

BCDEFGH

KLMNOPCN

345676Q

RSTUVWX

aaaaaaab

aaaaaaaa

hijklmn

qrstuvit

 

**File C:\FINDnFIX\WIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' n USERProcessHandleQuotan àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk < S AppInit_DLLsm 3 ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l À ¡9çw«dçwBÑçw

Share this post


Link to post
Share on other sites

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:
    move C:\WINDOWS\System32\D3DNC.DLL  C:\junkxxx\D3DNC.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Mon 06/28/2004

12:56am up 0 days, 0:00

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

*Locked files...

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

 

»»»Filtering files in System32.......( 'R;H;S') »»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

No Files to Search

 

Run Time(sec) 0

 

rem replace this text with your given command...

 

 

»»Permissions:

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIGDADDY\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BIGDADDY\Owner

 

Primary Group: BIGDADDY\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\d3dnc.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = C:\WINDOWS\System32\d3dnc.dll

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

AppInit_DLLsm

 

---------- NEWWIN.TXT

AppInit_DLLs`Y|

**File C:\FINDnFIX\NEWWIN.TXT

regf Pugf hbin Ƴõw÷³õw³õw-³õw ¨ÿÿÿnk, *(ØÛ0]Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 < h Windows ÿÿÿsk x x Ô €¸ È ¤ ! € ! ? ? Ðÿÿÿvk ˜ ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 ( h Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ë=tÀàÿÿÿvk °ºSpooler2ðÿÿÿy e s

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' n USERProcessHandleQuotan àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk < AppInit_DLLs`Y| ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l À . d l l

**File C:\FINDnFIX\NEWWIN.TXT

000012F0: 01 00 00 00 01 00 1E 00 . 5F 44 4C 4C 73 60 59 7C ........ _DLLs`Y|

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' n USERProcessHandleQuotan àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk < AppInit_DLLs`Y| ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l À . d l l

Share this post


Link to post
Share on other sites

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.

When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.

Post a follow up HijackThis log when done!

 

You'll be prompted to email the results - Please do so.

Share this post


Link to post
Share on other sites

i accidentally deleted the e-mail window and thought another would pop up if i ran zipzap again, but it didn't. let me know if there is anything else that you guys/gals need and i'll do what i can.

 

thanks again for everything!

 

cheers!

 

Logfile of HijackThis v1.97.7

Scan saved at 1:20:48 PM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AIM\aim.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {B029DA9D-483F-4BF5-B181-80F4837ABF77} - C:\WINDOWS\System32\fmdfb.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Run HijackThis and delete:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {B029DA9D-483F-4BF5-B181-80F4837ABF77} - C:\WINDOWS\System32\fmdfb.dll (file missing)

 

Wait an hour or so and then reboot. Post a new HijackThis log so I can check to ensure it is gone.

Share this post


Link to post
Share on other sites

seems to be fixed so far...thanks for everything once again!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:02:12 PM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AIM\aim.exe

C:\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pu

Share this post


Link to post
Share on other sites

Perfect ...

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

 

The following is a recommended maintenance regime for Windows XP:

  1. The following DIRECTORY CONTENTS (But not the directory), need to be regularly emptied. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change.
    • %windir%\prefetch\
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

[*]Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". Click on "OK" once more to close the options panel.

[*]Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]Back-Up your files. You can use Windows backup which must be installed from the XP CD <cd-Drive>\valuadd\msft\ntbackup. Be sure to back up the following:

  • Office documents
  • Email data - Messages and address book
  • Games saves.
  • Digital Photos and other artwork.
  • Moveis that you have created or edited.
  • MP3's and other music files.
  • Browser favorites and bookmarks.
  • Downloaded files/programs.
  • Passwords, security codes etc for anything that is password protected like Quicken.
  • Activation codes for applications doownloaded and registered.

[*]Do not go without an anti-virus program. Free ones include:

[*]Be sure to run a periodic Trojan Scan with any of the following programs:

[*]Use a Firewall such as ZoneAlarm

[*]Regularly scan for adware and spyware using the following programs:

[*]Defragment your system. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Defragmenter".

[*]Update your system. Go to Microsoft Windows Update and download all critical updates for your system.

[*]Cleanup Your Disk. Click on "Start" => "Programs" => "Accessories" => "System Tools" => "Disk Cleanup".

[*]Clear your icon cache. Delete the following file: %userprofile%\Local Settings\Application Data\IconCache.db. Reboot.

[*]As bad as it may sound - Once a year reinstall your O/S from scratch - i.e. Reformat your hard drive but be 100% certain that you have backed everything up as listed above.

Share this post


Link to post
Share on other sites

the "about blank" hijacking is back! i can't seem to shake this thing. i haven't even been to any websites other than 3 or 4 that i always go too, so i don't think i've been re-infected....i don't think it was gone 100%???? is there anyway it is a trojan that comes back at a later date or something????

 

this thing is a nightmare and i can't seem to shake it....i'll start over and this time, when we think it is gone, i'll follow all the steps that you have given me as a preventitive measure...hopefully that'll knock it out for good.

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:53:46 AM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {C84CD229-A7FF-4243-8A9D-84EB31B99E53} - C:\WINDOWS\System32\ohn.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

You still have a program named Wildtangent Game Channel installed which is notorious for some infections. This can be removed through "Add/Remove Programs" and I strongly urge you to remove it.

 

Then, run HijackThis and delete:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {C84CD229-A7FF-4243-8A9D-84EB31B99E53} - C:\WINDOWS\System32\ohn.dll

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partner...lim/install.cab

 

Also delete the directory C:\WINDOWS\wt\ and delete the file C:\WINDOWS\System32\ohn.dll

 

After that is done - DO Not reboot but ... Please download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review.

Share this post


Link to post
Share on other sites

it would not allow me to delete the .....ohn.dll file. it said "access denied-make sure disk is not full or write protected and the file is not currently in use"

 

i did the other steps and this is what i got.

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Tue 06/29/2004

11:17am up 0 days, 0:27

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\D3DNC.DLL +++ File read error

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

D3DNC.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group BIGDADDY\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName SUCCESS

Name = __NS_Service_3

[sC] GetServiceDisplayName SUCCESS

Name = Network Security Service

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIGDADDY\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BIGDADDY\Owner

 

Primary Group: BIGDADDY\None

 

 

 

»»»»»»Backups created...»»»»»»

11:18am up 0 days, 0:27

Tue 06/29/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-28-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-28-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsm

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotan

AppInit

DLLsm

PQWSV

$%&'()*

-./012%0

3456789

BCDEFGH

KLMNOPCN

345676Q

RSTUVWX

aaaaaaab

aaaaaaaa

hijklmn

qrstuvit

 

**File C:\FINDnFIX\WIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' n USERProcessHandleQuotan àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk < S AppInit_DLLsm 3 ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l À ¡9çw«dçwBÑçw

Share this post


Link to post
Share on other sites

Let's get rid of this first and then we can remove that other file in safe mode ...

 

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:
    move C:\WINDOWS\System32\D3DNC.DLL %SystemDrive%\junkxxx\D3DNC.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Tue 06/29/2004

11:31am up 0 days, 0:00

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

D3DNC.DLL Can't Open!

 

»»»»»»» (3) »»»»»»»

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

 

»»»*»»» Scanning for moved file... »»»*»»»

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

No Files to Search

 

Run Time(sec) 0

 

rem replace this entire line with your given command...

 

File not found - C:\junkxxx\*.*

 

»»Permissions:

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIGDADDY\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BIGDADDY\Owner

 

Primary Group: BIGDADDY\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\d3dnc.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = C:\WINDOWS\System32\d3dnc.dll

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

AppInit_DLLsm

 

---------- NEWWIN.TXT

AppInit_DLLsecteÀÿÿÿC

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

000012F0: 01 00 00 00 01 00 53 00 . 5F 44 4C 4C 73 65 63 74 ......S. _DLLsect

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' n USERProcessHandleQuotan àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk < S AppInit_DLLsecteÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l À ^ …ÀuùëÉÿªqëîjWXëéU‹ì‹MSVW‹}‹Gƒe Áè#?@Áà?t?^Sÿªq‹‹G3Ò÷1Wj ?D‘Pÿàªq;Çu9?F‹8ƒç‹ÏƒñQ‰|ŽPÿüªqƒð?L¾;… SÿPªq‹E_^[] ÇEW ëæU‹ìƒì‹E‹@‹MÁè#S‹ÜªqV?@ÁàW?t?FjPÿÓ‹‹øƒçƒ~ u?…Ét;‹E‹@3Ò÷1j ÿu?D‘Pÿàªq…Àuj?D¾PÿÓ;Ç„ ‹]_^‹Ã[É j?D¾PÿÓ;Ç„

Share this post


Link to post
Share on other sites

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.

When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.

Post a follow up HijackThis log when done!

 

You'll be prompted to email the results - Please do so.

Share this post


Link to post
Share on other sites

still ok....web page hasn't been hijacked back, though i've been off the computer and away since this morning....

 

Logfile of HijackThis v1.97.7

Scan saved at 7:04:58 PM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

i'm not able to download and run spyware. i get an error message that says:

 

"This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it."

 

any ideas???

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 7:47:12 AM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

:gasp: it's back again...for the 3rd time...just came back this morning.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:37:38 AM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {63304DC0-7B46-473D-873B-B470B13EDF8D} - C:\WINDOWS\System32\hglic.dll

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AIM (HKLM)

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»

Due to errors on various message boards I made some changes.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

If you make a mistake or use the wrong guidance, it is completely

your responsibility and the helper that assists you.

If you are not sure about the nature of the file or how

to proceed, I suggest you research it first before attempting

to remove any *unknown file on your own.

*For Helpers and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q824145-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

Fri 07/09/2004

10:24am up 0 days, 0:03

 

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\D3DNC.DLL +++ File read error

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

D3DNC.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... D3DNC.DLL .....57344 19.06.2004

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group BIGDADDY\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName SUCCESS

Name = __NS_Service_3

[sC] GetServiceDisplayName SUCCESS

Name = Network Security Service

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

 

»»»»»»Backups created...»»»»»»

10:25am up 0 days, 0:04

Fri 07/09/2004

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-09-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-28-2004 winkey.reg

 

C:\FINDNFIX\

JUNKXXX Mon Jun 28 2004 7:27:48a .D... <Dir>

 

C:\FINDNFIX\FILES2\

junkxxx.zip Mon Jun 28 2004 1:15:42p A.... 8,341 8.14 K

 

2 items found: 1 file, 1 directory.

Total of file sizes: 8,341 bytes 8.14 K

 

»»Performing string scan....

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 ( h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 =t vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' n USERProcessHandleQuotan h X

000012D0: vk < S AppInit_DLLsecte C : \ W I N

00001310:D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

AppInit_DLLsecteÀÿÿÿC

--------------

--------------

C:\WINDOWS\System32\d3dnc.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "C:\WINDOWS\System32\d3dnc.dll"

0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.

0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 64 00 33 00 64 00 6e 00 | m.3.2.\.d.3.d.n.

0030 63 00 2e 00 64 00 6c 00 6c 00 00 00 | c...d.l.l...

Share this post


Link to post
Share on other sites

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:

  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:
    move C:\WINDOWS\System32\D3DNC.DLL C:\junkxxx\D3DNC.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Fri 07/09/2004

10:14pm up 0 days, 0:00

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q824145-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

C:\WINDOWS\System32\D3DNC.DLL +++ File read error

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

D3DNC.DLL Can't Open!

 

»»»»»»» (3) »»»»»»»

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... D3DNC.DLL .....57344 19.06.2004

 

»»»»»»» Search by size...

 

 

C:\WINDOWS\SYSTEM32\

d3dnc.dll Sat Jun 19 2004 3:19:50p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\D3DNC.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

 

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*

 

 

File not found - C:\FINDnFIX\junkxxx\*.*

 

»»Permissions:

There are no more files.

 

ERROR: There are no more files.

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIGDADDY\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: BIGDADDY\Owner

 

Primary Group: BIGDADDY\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BIGDADDY\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: BIGDADDY\Owner

 

Primary Group: BIGDADDY\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\d3dnc.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = C:\WINDOWS\System32\d3dnc.dll

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\

notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 ( h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 =t vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' n USERProcessHandleQuotan h X

000012D0: vk < y AppInit_DLLs C : \ W I N

00001310:D O W S \ S y s t e m 3 2 \ d 3 d n c . d l l

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- NEWWIN.TXT

AppInit_DLLsÿÿÿÿÀÿÿÿC

--------------

--------------

--------------

C:\WINDOWS\System32\d3dnc.dll

Share this post


Link to post
Share on other sites

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.

When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.

Post a follow up HijackThis log when done!

 

You'll be prompted to email the results - Please do so.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 6:50:21 AM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\jt7iu82u.slt\prefs.js)

O2 - BHO: (no name) - {C2526987-E5EC-438B-935F-B1504D0979B2} - C:\WINDOWS\System32\hglic.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINDOWS\System32\D3DNC.DLL +++ File read error

 

The file was never moved, and the directions given are outdated.

(Moveit wasn't included)

 

I've changed my steps several times in my last posts...

Last Log.txt has some indication to these changes...

 

Due to the fact that it was misused, and the final results/steps

are not read/followed by anyone, the package was withdrawn.

 

Unfortunately this is another example... :scratchhead:

Edited by freeatlast

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0