Jump to content


Photo

Help me with this about: blank


  • This topic is locked This topic is locked
23 replies to this topic

#1 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 10:30 AM

Hi there, i have this problem with my home page, which is automatically set to about: blank, some kind of search page, aslo with a popup about some spyware software. I have removed it twice now, first time was the day before yesterday. It keeps coming back somehow. its removable with adaware, and after i remove it, all is ok till next day when it comes back again. Before all this i had another spyware, the one with res:\... and a "random".dll in it. When this was removed i got this new cws thing. I would very much appreciate it if someone could help me. My logfile with hijackthis just in case:


Logfile of HijackThis v1.97.7
Scan saved at 17:29:41, on 23-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3123D989-36E1-4A03-B349-6D6AB96EF61F} - C:\WINDOWS\System32\afnmib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.1508101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

#2 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 12:41 PM

Bump

#3 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 01:31 PM

Bump

#4 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 02:45 PM

Please someone help me in some way....

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 23 June 2004 - 03:02 PM

Download and install : "Beta-Fix.exe" from
the 'Find-all page' link in my signature.

Run the "!LOG!.bat" file, post the results.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 03:44 PM

Here it is:


Logfile of HijackThis v1.97.7
Scan saved at 17:29:41, on 23-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3123D989-36E1-4A03-B349-6D6AB96EF61F} - C:\WINDOWS\System32\afnmib.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.1508101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

#7 hydro

hydro

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 04:10 PM

He asked for the output of the !LOG!.BAT file (the link in his sig), not another HijackThis output.

I seem to have the same 57344 byte randomly named file as several other posters so I'll just wait to see what solutions are posted. I should have guessed it was appinit as Sysinternals filemon is showing the non-listable/deleteable file as being accessed by EVERY executable loaded.

#8 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 04:15 PM

O oeps, sorry, wrong paste lol. This is the right one:




Microsoft Windows XP [versie 5.1.2600]
Het type bestandssysteem is NTFS.
C: bevat geen fouten.

wo 23-06-2004
11:14pm up 0 days, 7:38
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\SQLG.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLG.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\Beta-Fix\LIST.TXT
SQLG.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINDOWS\SYSTEM32\
sqlg.dll Thu 17 Jun 2004 10:53:12 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K

No matches found.
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\SQLG.DLL

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read INGEBOUWD\Gebruikers
(IO) ALLOW Read INGEBOUWD\Gebruikers
(NI) ALLOW Read INGEBOUWD\Hoofdgebruikers
(IO) ALLOW Read INGEBOUWD\Hoofdgebruikers
(NI) ALLOW Full access INGEBOUWD\Administrators
(IO) ALLOW Full access INGEBOUWD\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access INGEBOUWD\Administrators
(IO) ALLOW Full access MAKER EIGENAAR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read INGEBOUWD\Gebruikers
Read INGEBOUWD\Hoofdgebruikers
Full access INGEBOUWD\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group SAAD-NCW81DES7W\Geen.
User is a member of group \Iedereen.
User is a member of group INGEBOUWD\Administrators.
User is a member of group INGEBOUWD\Gebruikers.
User is a member of group \LOKAAL.
User is a member of group NT AUTHORITY\INTERACTIEF.
User is a member of group NT AUTHORITY\Geverifieerde gebruikers.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x SAAD-NCW81DES7W\Saab
Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR
Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

Owner: SAAD-NCW81DES7W\Saab

Primary Group: SAAD-NCW81DES7W\Geen



»»»»»»Backups created...»»»»»»
11:14pm up 0 days, 7:38
wo 23-06-2004

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-23-2004 winbackup.hiv
A C:\Beta-Fix\keys1\winkey.reg
--a-- - - - - - 287 06-23-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs’’’’Ą’’’C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
GDIProcessHandleQuota,
Spoolerw
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
AppInit

**File C:\Beta-Fix\WIN.TXT
        Š’’’vk  ą   ĄUDeviceNotSelectedTimeoutš’’’1 5  o£Ž— ° Š’’’vk  €'   GDIProcessHandleQuota,­2š’’’9 0  čZ ą’’’vk  X    Spoolerwš’’’y e s éŌ=pą’’’vk  €   . swapdisk ° ų 8 h   Š’’’vk  (   J TransmissionRetryTimeoutŠ’’’vk  €'   USERProcessHandleQuota ą’’’° ų 8 h   Š  Ų’’’vk : H   i AppInit_DLLs’’’’Ą’’’C : \ W I N D O W S \ S y s t e m 3 2 \ s q l g . d l l C x


Edited by anas_adam, 23 June 2004 - 04:16 PM.


#9 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 23 June 2004 - 04:34 PM

Bump

#10 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 09:55 AM

Bump

#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 09:59 AM

Well done!
Your bad file is positively identified on all counts!
This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:


-Open the Beta-Fix\Keys1 Subfolder!
- Locate the "MOVEit.bat" file,Right-Click on it,select->edit:
The file will open as empty text file.
-Copy and paste the entire hilited line in the following quote box
(all one line) into that blank 'MOVEit' file:

move %WinDir%\System32\SQLG.DLL %SystemDrive%\junkxxx\SQLG.DLL


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\Beta-Fix\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 10:05 AM

Ehm, i cant edit the Moveit.bat... What should i do??

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 10:15 AM

Skip this step and proceed with these steps, instead:

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart,
Navigate to System32 folder, find the
"SQLG.DLL" file (as it should be visible now) hilite the file,
And use the folder's top menu:
Edit>move to folder...
Select the C:\junkxxx as destination.
Move the file and proceed to run the
C:\Beta-Fix\"RESTORE.bat" file!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 10:50 AM

OK done, what should i do now?? This is the log that came up when restore.bat finished:



do 24-06-2004
5:48pm up 0 days, 0:02

Microsoft Windows XP [versie 5.1.2600]
Het type bestandssysteem is NTFS.
C: bevat geen fouten.

*Locked files...
* result\\?\C:\junkxxx\SQLG.DLL

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\JUNKXXX\
sqlg.dll Thu 17 Jun 2004 10:53:12 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\SQLG.DLL


Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
Searching ==>C:\JUNKXXX\SQLG.DLL
Run Time(sec) 0
**File C:\JUNKXXX\SQLG.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.


-ra-- W32i - - - - 57,344 06-17-2004 sqlg.dll
A R C:\junkxxx\sqlg.dll
File: <C:\junkxxx\sqlg.dll>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\junkxxx\sqlg.dll INGEBOUWD\Administrators:F
NT AUTHORITY\SYSTEM:F
SAAD-NCW81DES7W\Saab:F
INGEBOUWD\Gebruikers:R

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x SAAD-NCW81DES7W\Saab
Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR
Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

Owner: SAAD-NCW81DES7W\Saab

Primary Group: SAAD-NCW81DES7W\Geen

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR
Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers
Allow 0000000A -c-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Iedereen

Owner: INGEBOUWD\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\sqlg.dll"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SAAD-NCW81DES7W\Saab
Allow 00000010 t--- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers

Owner: SAAD-NCW81DES7W\Saab

Primary Group: SAAD-NCW81DES7W\Geen


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read INGEBOUWD\Gebruikers
(IO) ALLOW Read INGEBOUWD\Gebruikers
(NI) ALLOW Read INGEBOUWD\Hoofdgebruikers
(IO) ALLOW Read INGEBOUWD\Hoofdgebruikers
(NI) ALLOW Full access INGEBOUWD\Administrators
(IO) ALLOW Full access INGEBOUWD\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access INGEBOUWD\Administrators
(IO) ALLOW Full access MAKER EIGENAAR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read INGEBOUWD\Gebruikers
Read INGEBOUWD\Hoofdgebruikers
Full access INGEBOUWD\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLs’’’’Ą’’’C

---------- NEWWIN.TXT
AppInit_DLLs’’’’ø
**File C:\Beta-Fix\NEWWIN.TXT
       
**File C:\Beta-Fix\NEWWIN.TXT
00001338: 01 00 00 00 01 00 7E 00 . 5F 44 4C 4C 73 FF FF FF ......~. _DLLs’’’
**File C:\Beta-Fix\NEWWIN.TXT
        Š’’’vk  ą   ĄUDeviceNotSelectedTimeoutš’’’1 5  o£Ž— ° Š’’’vk  €'   GDIProcessHandleQuota,­2š’’’9 0  čZ ą’’’vk  X    Spoolerwš’’’y e s éŌ=pą’’’vk  €   . swapdisk ° ų 8 h   Š’’’vk  (   J TransmissionRetryTimeoutŠ’’’vk  €'   USERProcessHandleQuota ą’’’° ų 8 h   Š  Ų’’’vk  €   ~ AppInit_DLLs’’’’ø

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 11:05 AM

Great progress! :thumbsup:

Last step(s):


-Open the Beta-Fix\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, Delete and entire 'Beta-Fix' file+folder(s)
From C:\


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular, CWShredder and fully updated Ad-Aware!
Feel free to post follow up hijackthis log when done! :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 11:05 AM

bump

#17 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 11:16 AM

I somehow cant delete jeoidbaa.tmp from the files2 folder... Is that bad? What should i do???

#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 11:23 AM

I somehow cant delete jeoidbaa.tmp from the files2 folder... Is that bad? What should i do???

Thats a tmp file craeted by the tools!

Did you run the ZIPZAP file?

If so, restart your computer and delete the entire 'Beta-Fix' folder
which will--obviously--include it's contents! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 11:25 AM

I know that its created by the tools, but when i tried to delete the betafix folder, it couldnt delete entire folder because it couldnbt delete this tmp file...

#20 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 11:29 AM

I know that its created by the tools, but when i tried to delete the betafix folder, it couldnt delete entire folder because it couldnbt delete this tmp file...

That's only because that file was still inuse...
As that may be the case, restarting your
computer should--undoubtedly--resolve the puzzle. :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#21 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 24 June 2004 - 11:51 AM

This is my hijackthis log, please tell me if its oke:


Logfile of HijackThis v1.97.7
Scan saved at 18:50:30, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\logon.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.1508101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15....ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

#22 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 June 2004 - 12:00 PM

All's well! :thumbsup:

Stay out of trouble ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#23 BobB

BobB

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 June 2004 - 12:08 PM

bump

#24 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 11:58 AM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button