Jump to content


Photo

About:Blank Hijack - Help please


  • Please log in to reply
34 replies to this topic

#1 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 23 June 2004 - 12:10 PM

Hi all!
You must have a major pain with this one already but here goes again.....
I'm looking for some help removing about:blank from a friend's PC.

I read your FAQ and have downloaded and executed the most recent versions of CWShredder, Ad-Aware, SpyBot, TrojanHunter and HijackThis (plus the latest data files for each) as per your instructions.

Please find included my HijackThis log. I am most gratetful for any help you can offer. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 16:47:59, on 23/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\System32\svchosd.exe
C:\WINDOWS\System32\scrgrd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wcpsvcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Application Data\nhdi.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Spyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A82E72FF-16C5-42F8-BF3F-EBAE616DCB83} - C:\WINDOWS\System32\pdgm.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [ngcdxl] C:\WINDOWS\System32\kdsgjh.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QUWAWGAL] C:\WINDOWS\NPBPYBP.exe
O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvcc.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Assw] C:\Documents and Settings\Administrator\Application Data\nhdi.exe
O4 - Global Startup: CLEANPOP.LNK = C:\i386\regedit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SHICRILD.LNK = C:\icrtoild.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/SW.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 June 2004 - 10:46 AM

Please follow the instructions as listed in this post and then post a fresh HijackThis log.

#3 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 28 June 2004 - 09:04 PM

Unfortunately, AdAware cannot fix the infection you have completely,.

Please follow these instructions first:

=== Step 1 - Get File Info ===
You have a CoolWebSearch variant which requires special treatment to fix.

Download FindnFix.exe from here:
http://freeatlast100....com/index.html or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#4 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 29 June 2004 - 06:29 AM

Hi LoPhatPhuud, PGPhantom,

Thanks for the help.

This variant has also hijacked Notepad. When FindNFix was scanning, (and presumably tried to open the resulting TXT files itself), my internet dialler and IE were launched and directed to www.casinopalazzo.com instead of Notepad. So I hope the scan completed successfully.

Apologies, I can't see how to attach the Win.txt file so have posted it in the thread.


Here is the Log.txt file....


*** freeatlast100.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

29/06/2004
11:42am up 0 days, 11:02

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\SQLHL.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT

(*3*) ........

No matches found.

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group HEWLETT-H56722N\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HEWLETT-H56722N\Administrator

Primary Group: HEWLETT-H56722N\None



Backups created...
11:43am up 0 days, 11:02
29/06/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-29-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-29-2004 winkey.reg

Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuotaM
AppInit
DLLs.

**File C:\FINDnFIX\WIN.TXT
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x






And Win.txt...


regf       Pugf hbin  nk, 3:Y   x 0 < r o  Windows sk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

Thanks again,

Barry

#5 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 29 June 2004 - 09:09 AM

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:
  • Open the "FINDnFIX\Keys1" Subfolder!
  • Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
  • Copy and paste the entire highlighted line in the following quote box
    (all one line) into that blank 'MOVEit' file:

    move C:\WINDOWS\System32\SQLHL.DLL C:\junkxxx\SQLHL.DLL

  • Save the file and close.
  • Get ready to restart your computer.
  • In the same folder, DoubleClick on the "FIX.bat" file.
  • You will be prompted by popup Alert to restart in 15 seconds.
  • Allow it to restart the computer!
  • On restart, Navigate to: C:\FINDnFIX\ main folder:
  • DoubleClick on the "RESTORE.bat" file.
  • It'll run and produce new log. (log1.txt) post it here!


#6 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 29 June 2004 - 10:46 AM

Hi PGPhantom,

Did that...
Had some fun trying to edit MOVEit.bat due to Notepad problems. Also cannot access spywareinfo.com site from the PC.

SpyBot-SD Resident detected 3 changes after reboot so I allowed them all guessing they were due to FIX.bat.

However, I had to do another reboot and SpyBot again detected changes. They were 1) Global Browser Toolbar - Deleted, 2) Browser Page - Value Changed and 3) Browser Page - Value Changed - msn.com -> about:blank. Not sure if these matter at this stage of the process, but you may need to know??

Anyway, here is new log Log1.txt


*** freeatlast100.100free.com ***

29/06/2004
4:05pm up 0 days, 0:02

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

***LOG1!***
Scanning for file(s)...

(1)

(2)
**File C:\FINDnFIX\LIST.TXT

(3)

No matches found.

No matches found.

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


* Scanning for moved file... *

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



Search text: STREAMINGDEVICESETUP2 CASE Insensitive Match
No Files to Search

Run Time(sec) 0

move C:\WINDOWS\System32\SQLHL.DLL C:\junkxxx\SQLHL.DLL


Permissions:
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HEWLETT-H56722N\Administrator

Primary Group: HEWLETT-H56722N\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLs.

---------- NEWWIN.TXT
AppInit_DLLs.
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 70 00 . 5F 44 4C 4C 73 2E 00 65 ......p. _DLLs..e
**File C:\FINDnFIX\NEWWIN.TXT
        |vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x ?;r wIy3  _^[]U? V?WP? ?VuPS?|PoV?|u P7u?tP?P?|P?tP?P83?o}9AH;|_^U? e j~?Eh PE?a?EPuu ?EPuu u)(U?  e j~?Eh PE??EPuuL u? Pu u? h P?EP4@U? e Vj~?Eh PE?u?EPuV u?EVVjP ?EPuV ?EPuu u_H^U?  Vj~?h PƅEu?lPuVs u?EPu u(?EjXP? PG4uO?EjP?lP. u6u?EVVjP+ ?EPuV ?EjP?EP,@2^U? SVW33  @;r]]33u E?5U EFE;?MrċEv]u}+E]EE?ˈ]

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 29 June 2004 - 11:00 AM

You should have two copies of notepad - One in c:\windows and one in c:\windows\system32. Check the properties of each - The correct one should be 64.5 KB (66,048 bytes). If one is not, replace it with the other.

To finish this step ...

Open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.
When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.
Post a follow up HijackThis log when done!

You'll be prompted to email the results - Please do so.

#8 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 29 June 2004 - 12:15 PM

Hi PGPhantom,

Both versions of Notepad.exe were 66,048 bytes, but C:/Windows/system32 version had a creation date of 01 January 1980, so suspected that was the dodgy one and replaced it with the other. That's now fine.

I e-mailed the JunkXXX.zip file as requested.

Here is the new HJT log...

Logfile of HijackThis v1.97.7
Scan saved at 17:47:57, on 29/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\smsc.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\System32\svchosd.exe
C:\WINDOWS\System32\scrgrd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Echo\engine.exe
C:\Documents and Settings\Administrator\Application Data\nhdi.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\Echo\taskbar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Spyware\HijackThis\HijackThis.exe
D:\Spyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [ngcdxl] C:\WINDOWS\System32\kdsgjh.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\rukyuucj.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QUWAWGAL] C:\WINDOWS\NPBPYBP.exe
O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Assw] C:\Documents and Settings\Administrator\Application Data\nhdi.exe
O4 - HKCU\..\Run: [Wandows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvcc.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - Global Startup: CLEANPOP.LNK = C:\i386\regedit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SHICRILD.LNK = C:\icrtoild.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/SW.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 29 June 2004 - 01:19 PM

Okay, let's get the rest cleared up ...
  • Please download Symantec's Sasser Worm Removal program and run it to remove the sasser infection that you have.
  • Run either of these free online virus scans.
  • Go into "Add/Remove Programs" and look for nay of the following and uninstall them: "My Way", "My Way Search", "My Search".
  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://4-v.net/srchasst.html
    O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
    O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
    O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
    O4 - HKLM\..\Run: [ngcdxl] C:\WINDOWS\System32\kdsgjh.exe
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
    O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\Run: [Messanger] C:\WINDOWS\deamon.exe /i
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\rukyuucj.exe
    O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [QUWAWGAL] C:\WINDOWS\NPBPYBP.exe
    O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q
    O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [Assw] C:\Documents and Settings\Administrator\Application Data\nhdi.exe
    O4 - HKCU\..\Run: [Wandows Deafult Configuration] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvcc.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
    O4 - Global Startup: CLEANPOP.LNK = C:\i386\regedit.exe
    O4 - Global Startup: SHICRILD.LNK = C:\icrtoild.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • C:\PROGRA~1\MyWay\
    • FILES
      • C:\WINDOWS\System32\NDrv.dll
      • C:\WINDOWS\avserve2.exe
      • C:\WINDOWS\System32\kdsgjh.exe
      • C:\WINDOWS\winupd.exe
      • scrgrd.exe
      • smsc.exe
      • C:\WINDOWS\deamon.exe
      • C:\WINDOWS\mstasks2.exe
      • C:\WINDOWS\System32\rukyuucj.exe
      • scrgrd.exe
      • C:\WINDOWS\NPBPYBP.exe
      • C:\PROGRA~1\CLOCKS~1\Sync.exe
      • scrgrd.exe
      • C:\Documents and Settings\Administrator\Application Data\nhdi.exe
      • C:\WINDOWS\svchost.exe
      • C:\WINDOWS\System32\NDrv.exe
      • C:\WINDOWS\System32\wcpsvcc.exe
      • C:\i386\regedit.exe
      • C:\icrtoild.exe
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 08:06 PM

Barry, based on your logs the procedure didn't work at all!
The file wasn't moved and your hiv is still infected...

* Scanning for moved file... *

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



Search text: STREAMINGDEVICESETUP2 CASE Insensitive Match
No Files to Search


---------- NEWWIN.TXT

AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x ‹Ž‹?;r wIy3


However, FINDnFIX makes certain backups.
Considering your loads of trojans, there is no point following
this process untill ALL else is gone!
I suggest you get some good disinfection, follow the
last set of steps and post follow up hijackthis log!
Your AboutBlank problem is still there, but should be
taken care of at a later stage!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 30 June 2004 - 12:56 PM

Hi freeatlast, PGPhantom,

Made some progress today, but still lots to do I think. freeatlast, I couldn't install any Anti-Virus software, so I attempted to follow instructions in PGPhantom's last post to try and get the AV installed....

Couldn't run Symantec Sasser Fix - keeps crashing....
Couldn't run either of the online Virus scanners.
Ran CWShredder 1.59.0.1 and cleaned some stuff. (SpyBot subsequently detected and blocked sp.html and about:blank re-entry attempts).
Ran HijackThis and cleaned the entries as per PGPhantom's last post.
Deleted the files and folders in Safe Mode as per PGPhantom's instructions.
BUT, I couldn't find some of the files, in particular SCRGRD.exe. Nasty f****r....

Also couldn't find:

C:\WINDOWS\System32\NDrv.dll
C:\WINDOWS\avserve2.exe
C:\WINDOWS\System32\kdsgjh.exe
C:\WINDOWS\winupd.exe
scrgrd.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\WINDOWS\svchost.exe (except in SYSTEM32 directory so left it there :unsure: )
C:\WINDOWS\System32\wcpsvcc.exe
C:\icrtoild.exe

I did find some of the above in the Windows/Prefetch directory with "some HEX number.pf" extensions, so deleted those, NPBPYBP.exe.vir was found, so deleted that aswell:unsure:

After this, I finally managed to install Norton Internet Security 2004 and eventually got LiveUpdate to run. However, I can't run Norton AntiVirus to clean any viruses. Keep getting an exception error that their website says is supposed to be fixed in the latest version of NAV.

Both Norton and SpyBot flagged SCRGRD.exe on re-boot, so I set it to block and delete it every time. Dunno if that will prevent it re-appearing or not.

Sorry everything is a bit all over the shop :scratchhead:

Also, I can't run Windows Update to get latest security patches.

Here's the latest HJT log....

Logfile of HijackThis v1.97.7
Scan saved at 17:59:42, on 30/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
D:\Spyware3\HijackThis\HijackThis29.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/SW.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CCS\Services\Tcpip\..\{E661BB84-A34C-4374-907A-3F93A2A2A30B}: NameServer = 159.134.237.6 159.134.248.17
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

The Samaritans won't even accept my calls any more!!!!
Help please...

#12 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 30 June 2004 - 01:01 PM

P.S. Notepad has been re-hijacked...

#13 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 30 June 2004 - 06:59 PM

First:
1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


Second:
2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. IE/Spyad: https://netfiles.uiu...ww/resource.htm


Third:
Please go here and do an AV scan at one (preferably two) of the following:
Panda's Active Scan
http://www.pandasoft...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/v.../virusscan.aspx


Fourth:
You can download Notepad from here:
http://www.spywarein...es.html#notepad


Fifth:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab



Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Windows\Syhstem32\scrgrd.exe


*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#14 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 01 July 2004 - 11:21 AM

Hi LoPhatPhuud,

I appreciate your perseverance.

First:
1. Although logged in as Administrator, I couldn't adjust the security settings for ActiveX controls. I did as instructed but the following keeps happening...

In the ActiveX section, I set the first option, 'Download signed controls', to 'Prompt; which it appeared to do fine and clicked OK. However, when I go back in to check it, it is immediately set back to 'Disable'.

I tried to do it through the Control Panel, where it appears to maintain the setting I change it to, but when I again look at the options through Internet Explorer, it is always reset to 'Disable'.

Second:
2. I downloaded and installed both SpyWareBlaster and IE/Spyad. SpyWareBlaster installed OK, but crashed when attempting to download the latest definition files.

Third:
Can't enable the ActiveX control download (pls see first above), so I can't get any of the online virus scanners to run. Tried them all.

I did manage to get Norton AntiVirus (with the latest definitions) to run and it found about 50 threats, 17 of which could not be deleted.

Fourth:
Downloaded and replaced the two suspect versions of Notepad OK.

Fifth:
Fixed all the items in HJT, plus a number of SP.HTML and about:blank entries and another suspect .dll with a creation date of today.

Rebooted in Safe Mode but (after unchecking the boxes for hiding known file extensions and hiding protected operating system files), I still could not see
C:\Windows\Syhstem32\scrgrd.exe. Ran a full system search as well as a visual search.

Rebooted in normal mode.
about:blank is now back as home page.

:rofl:

Here's the new HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 16:15:38, on 01/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
D:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/SW.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

Thanks for you help

#15 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 July 2004 - 06:22 PM

Barry

I believe and idea what the problem is and I need to check, Please bear with us.

Download the following file:
http://tools.zerosrealm.com/pv.zip

Unzip the file to the desktop (it will make its own folder)

Be sure at least one Internet Explorer window is open

Open the PV folder and double click on 'runme.bat'

Select Option 2

Notepad will open with a log file.

Post the log file in this thread
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#16 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 July 2004 - 06:52 AM

Hi LoPhatPhuud,

I'm more than happy to bear with you :thumbsup:

Am really grateful for your time, effort and patience.

Here's the PV Log file as requested...

Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library
IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
sqlhl.dll 61c00000 61440 c:\windows\system32\sqlhl.dll
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
THSec.dll 61000000 114688 C:\Program Files\TrojanHunter 3.9\THSec.dll
oleaut32.dll 77120000 569344 C:\WINDOWS\system32\oleaut32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
OLE32.DLL 771b0000 1114112 C:\WINDOWS\system32\OLE32.DLL 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
asOEHook.dll 10000000 196608 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll 2004.1.03.7 AntiSpam OE Hook
MSVCR70.dll 7c000000 344064 C:\WINDOWS\System32\MSVCR70.dll 7.00.9466.0 Microsoft C Runtime Library
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
shdoclc.dll a80000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
NISShExt.dll ea0000 131072 C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll 7.0.0.177 NIS Shell Extension
NavShExt.dll ec0000 98304 C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll 10.00.13 Norton AntiVirusNAVShellExt Module
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
MSVCP70.dll 7c080000 487424 C:\WINDOWS\System32\MSVCP70.dll 7.00.9466.0 Microsoft C++ Runtime Library
AcroIEHelper.dll f50000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SDHelper.dll f60000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL
urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32
mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer
MSRATING.dll 5ff20000 143360 C:\WINDOWS\System32\MSRATING.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL
WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
msratelc.dll 5ff50000 69632 C:\WINDOWS\System32\msratelc.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL
MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library
IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
sqlhl.dll 61c00000 61440 c:\windows\system32\sqlhl.dll
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
THSec.dll 61000000 114688 C:\Program Files\TrojanHunter 3.9\THSec.dll
oleaut32.dll 77120000 569344 C:\WINDOWS\system32\oleaut32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
OLE32.DLL 771b0000 1114112 C:\WINDOWS\system32\OLE32.DLL 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
asOEHook.dll 10000000 196608 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll 2004.1.03.7 AntiSpam OE Hook
MSVCR70.dll 7c000000 344064 C:\WINDOWS\System32\MSVCR70.dll 7.00.9466.0 Microsoft C Runtime Library
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
shdoclc.dll a80000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
NISShExt.dll ea0000 131072 C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll 7.0.0.177 NIS Shell Extension
NavShExt.dll ec0000 98304 C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll 10.00.13 Norton AntiVirusNAVShellExt Module
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
MSVCP70.dll 7c080000 487424 C:\WINDOWS\System32\MSVCP70.dll 7.00.9466.0 Microsoft C++ Runtime Library
AcroIEHelper.dll f50000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SDHelper.dll f60000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft ® OLE Property Support DLL
urlmon.dll 1a400000 495616 C:\WINDOWS\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32
mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer
MSRATING.dll 5ff20000 143360 C:\WINDOWS\System32\MSRATING.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL
WSOCK32.dll 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
msratelc.dll 5ff50000 69632 C:\WINDOWS\System32\msratelc.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Ratings and Local User Management DLL
MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
netapi32.dll 71c20000 315392 C:\WINDOWS\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.0 (XPClient.010817-1148) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft ® HTML Editing Component
scrauth.dll 2630000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 1, 131 ScriptBlocking Authenticator
ScrBlock.dll 2650000 131072 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 1, 131 ScriptBlocking
wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll 5.6.0.8513 Microsoft ® JScript
SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5

#17 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 05:19 PM

Would you please post a new HiJackThis log in this thread as well as the following:

Download this file:
www.zerosrealm.com/downloads/pv.zip

Unzip to the desktop (It will create its own folder)

Open the PV folder and double click on runme.bat

Select Option 8, then Option 4 and post the log in this thread.

.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#18 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 July 2004 - 08:43 AM

Hi LoPhatPhuud,

I'm away on holiday from today until Monday the 12th, so I won't be able to do anything during that time. As soon as I return, I will get back to this fix. Talk to you then. Thanks again.

Here are the latest logs as requested...

Logfile of HijackThis v1.97.7
Scan saved at 12:05:25, on 03/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\HPWHTBX.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O2 - BHO: (no name) - {E304C252-30D5-4B97-8650-CE7F37434ACD} - C:\WINDOWS\System32\ipcpl.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/SW.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie



And Proto.txt...


Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/html]
"CLSID"="{F8EAB454-851A-4A78-AA34-42FEF93D5490}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/plain]
"CLSID"="{F8EAB454-851A-4A78-AA34-42FEF93D5490}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

#19 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 11 July 2004 - 05:42 PM

Hi LoPhatPhuud,

I'm back in action.
Have you had a chance to look at my latest logs?

Barry

#20 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 11 July 2004 - 06:00 PM

Sam, we need to remove the HiJacker but I want to determine which way to go.

First:
=== Step 1 - Get File Info ===
You have a CoolWebSearch variant which requires special treatment to fix.

Download FindnFix.exe from here:
=== Step 1 - Get File Info ===
You have a CoolWebSearch variant which requires special treatment to fix.

Download FindnFix.exe from here:
http://freeatlast100.100free.com/ or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)


Then:
There is a new version of HiJackThis available (198.0).

Download *Hijack This!*
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Install the new version, run it, and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#21 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 12 July 2004 - 02:16 PM

Hi LoPhatPhuud,

FindNFix is no longer available from those sites, so I am using the same version that I downloaded about two weeks ago.

Here are the latest log files as requested.

1) Log.TXT...

*** freeatlast100.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

12/07/2004
7:25pm up 11 days, 3:18

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\SQLHL.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLHL.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT

(*3*) ........

No matches found.

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group HEWLETT-H56722N\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HEWLETT-H56722N\Administrator

Primary Group: HEWLETT-H56722N\None



Backups created...
7:27pm up 11 days, 3:20
12/07/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-12-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-12-2004 winkey.reg

Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuotaM
AppInit
DLLs.

**File C:\FINDnFIX\WIN.TXT
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x



Apologies, I can't see how to attach a file so have to post this.

2) Win.TXT...


regf       hbin  nk, 0]   x 0 < r o  Windows sk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x


3) HijackThis.LOG (From new version 1.98.0.0)

Logfile of HijackThis v1.98.0
Scan saved at 19:31:21, on 12/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\HPWHTBX.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O2 - BHO: (no name) - {E304C252-30D5-4B97-8650-CE7F37434ACD} - C:\WINDOWS\System32\ipcpl.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie
O18 - Filter: text/html - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll
O18 - Filter: text/plain - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll

#22 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 12 July 2004 - 02:39 PM

=== Unlock and Show Hidden dll ===
Download the following: (freeware)
'Salamand.zip' from:
http://www10.brinkst...last/pvtool.htm

Download 'Registrar Lite' from here:
http://www.resplendence.com/reglite

Unzip 'Salamand.zip' to its own folder.

Install 'Registrar Lite'.


Now we are going to get rid of the hidden DLL that is causing all the problems.

First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of Reglite)

Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\SQLHL.DLL < -- delete this line ,
'Apply' and 'ok' to set.

Rename the NotWindows folder back to its original name Windows
Restart your computer.


=== Locate, Move, and Delete Hidden dll ===
Run Salamand.exe.

Using the Menu Items at the top, do the following:
(wherever 'enter' is used, you may cut and paste the bold faced text instead)
a. Left --> Change Drive --> select 'C:'
b. Right --> Change Drive --> select 'C:'
c. Commands --> Create Directory --> enter junk --> press 'OK'
d. Options --> Command Line (be sure it is checked)
e. Commands --> Change Directory --> enter C:\windows\system32 --> press 'OK'
f. Commands --> Find Files --> press 'Edit'; in 'Search For' enter SQLHL.DLL, Uncheck 'Include subdirectories', press 'OK', press 'Start'; the file will be listed in the lower pane.
g. Press 'Focus'
h. Files --> Move/Rename --> enter c:\junk, press 'OK'
i. Left --> Change Drive --> select 'C:'

Into the narrow command window at the bottom (starts with 'c:\>')
Copy and paste the following command, then press 'Enter'

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f
(you should get 'Processed' confirmation message)

Copy and paste the following command, then press 'Enter'
attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111
(there should be no confirmation message)

In the left pane:
a. Click on the 'junk' folder
b. Files --> Delete, press 'Yes'


=== Fix Registry Permissions ===
Download the attached 'FixRegPro.zip'

Unzip 'FixRegPro.zip' to the Desktop.

Double Click on the 'FixReg' folder.
Double Click on the 'FixReg.bat' file.
Post the 'last.txt' to this thread.

Open the 'Find-All' folder
Double Click on 'Find-All.bat'
Post the 'output'txt' in this thread.


=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.or.../cwshredder.zip
http://www.zerosreal.../CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp....dref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

Last:
Post a new HiJackThis log in this thread.

Attached Files


IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#23 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 12 July 2004 - 03:53 PM

Where can I get a copy of Find-All.bat please? It's no longer available here

#24 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 12 July 2004 - 04:00 PM

My mistake, ignore the Find-all instruction completely.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#25 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 14 July 2004 - 11:18 AM

Hi LoPhatPhuud,

Bad news I'm afraid...this is a tricksy DLL!!!

Despite repeated attempts, Registrar Lite is not able to remove SQLHL.DLL from the Appinit_DLLs value field. I followed instructions exactly - copy and paste of address, rename of Windows folder, and deleted the line C:\WINDOWS\System32\SQLHL.DLL from the Value field, clicked Apply and OK to set. It appears deleted, but on reboot, or restart of Registrar Lite the value remains there.

I didn't think it would work without successful completion of step 1, but I tried anyway to locate and delete SQLHL.DLL using Salamand. When I Start the Search, SQLHL.DLL is not found.

Have included the latest log files from FindNFix and HijackThis although they are probably the same as the last pass.

Please don't give up :wave:


Log.TXT

*** freeatlast100.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

14/07/2004
3:17pm up 0 days, 0:10

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\SQLHL.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLHL.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT

(*3*) ........

No matches found.

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access HEWLETT-H56722N\Administrator
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access HEWLETT-H56722N\Administrator


Member of...: (Admin logon required!)
User is a member of group HEWLETT-H56722N\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HEWLETT-H56722N\Administrator
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HEWLETT-H56722N\Administrator

Primary Group: HEWLETT-H56722N\None



Backups created...
3:19pm up 0 days, 0:11
14/07/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-12-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-12-2004 winkey.reg

Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuotaM
AppInit
DLLs.

**File C:\FINDnFIX\WIN.TXT
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x



Win.TXT

regf       hbin  nk, 0]   x 0 < r o  Windows sk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   M USERProcessHandleQuotaM   8 h    vk < H   p AppInit_DLLs. e c : \ w i n d o w s \ s y s t e m 3 2 \ s q l h l . d l l x

HijackThis.LOG


Logfile of HijackThis v1.98.0
Scan saved at 15:21:52, on 14/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Echo\taskbar.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O2 - BHO: (no name) - {E304C252-30D5-4B97-8650-CE7F37434ACD} - C:\WINDOWS\System32\ipcpl.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie
O18 - Filter: text/html - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll
O18 - Filter: text/plain - {F8EAB454-851A-4A78-AA34-42FEF93D5490} - C:\WINDOWS\System32\ipcpl.dll

Thanks,

Barry

#26 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 14 July 2004 - 11:31 AM

Please delete the FindnFix folder from your computer. The author has requested that we not use it and I will respect her wishes.

I know the method I gave you works and from your reply, I belevie there was a mistake no your end, but I need confirmation. I do not see where you renamed the key Not Windows back to Windows. Failure to do that will result in re-installation of the entry, which appears happened.

Here are the steps summarized:

1. Using Reglist, go to this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

2. In the left pane, click on purple folder and rename the Windows key to Not Windows.

3. Double click on the AppInint_dlls value and erase the file name.

4. Save the change.

5. Rename the key Not Windows back to WIndows and save the change.

6. Reboot


Follow the steps I posted earlier and then post back here.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#27 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 14 July 2004 - 11:32 AM

Hi LoPhatPhuud,

I definitely did rename the Folder back to Windows.
No doubt.

Barry

#28 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 14 July 2004 - 02:49 PM

Hi LoPhatPhuud,

To make 110% sure, I performed the procedure again renaming the Not Windows folder back to Windows. No change. The DLL continues to reappear in Appinit_DLLs after reboot and Salamand cannot find it.

Have deleted and will no longer use FindNFix as requested.

Thanks,

Barry

#29 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 14 July 2004 - 04:54 PM

I Woiuld hazard a guess that some form of registry protection is writing the value back. Possibly Spybot S&D Tea-timer, or perhas psometihng in NAV 2004.

Disconnect from the internet, boot in safe mode and then run the first steps of the procedure. Aftger renaming the key back to Windows go ahead and boot bakc to normal. The nyou can reconnect to the internet.

I think Spybot is probablythe culprit but insafe mode, nothing should be ruinning
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#30 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 15 July 2004 - 08:04 AM

LoPhatPhuud,

YOU THE MAN ;)

It was SpyBot preventing the registry change (even in Safe Mode). Uninstalled SpyBot and was able to Delete the registry value.

As soon as I found SQLHL.DLL with Salamand, Norton AV found and automatically deleted it as a Trojan. I hope it's completely gone??? I executed the rest of the commands in Salamand anyway to complete the exercise.

Here's the LOG file from FixRegPro.bat...

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


CWShredder found and fixed a number of items including the CW.SearchX variant.
Similarly, AdAware found and cleaned a number of items.


Here's the latest HijackThis Log...

Logfile of HijackThis v1.98.0
Scan saved at 12:30:46, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
D:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = act.ie

Thanks,

Barry

#31 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 15 July 2004 - 04:41 PM

Barry,

I do think we are there. Some minor cleanup.

=== Short Fix ===

Check the following items in HiJackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - (no file)

O16 - DPF: {11111111-1111-1111-1111-111111111157} -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.

Then:
You are running an outdated and therefore unsafe version of Internet Explorer.
You NEED to upgrade to IE 6.0 SP1
http://v4.windowsupd.../en/default.asp

(Make sure you get the correct language version for your operating system! ).

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploit


Last:
Let's run one last HijackThis log to be sure.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#32 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 July 2004 - 11:57 AM

Hi LoPhatPhuud,

Looks like you got it!!

I fixed the items with HJT and installed all available critical Windows updates.
Here's the latest HJT Log...

Logfile of HijackThis v1.98.0
Scan saved at 16:31:02, on 16/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Echo\pfsview.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Echo\engine.exe
C:\Program Files\Echo\taskbar.exe
C:\Program Files\Messenger\msmsgs.exe
D:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [1Disk Monitor] C:\Program Files\Echo\pfsview.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {488BAD01-798A-47CC-B723-D129A197E9A2} (Downloader Class) - http://www.downloadf...ites/signed.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = act.ie
O17 - HKLM\Software\..\Telephony: DomainName = act.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = act.ie

#33 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 16 July 2004 - 12:14 PM

Good job guys ,but I'm a betting man ,And i bet it will be back .:)

#34 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 16 July 2004 - 01:26 PM

I don't bet, but I do not believe it will be back either.

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#35 Barry

Barry

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 July 2004 - 03:53 PM

LoPhatPhuud,

Many thanks for your help.
You played a stormer ;)

Take care,

Barry

P.S. I will be making a donation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button