• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Dreamer

Hijack; sp.html; Spybot affected

19 posts in this topic

Got hijacked a week ago, tried to fix it in a myriad of different ways described here, including the long Investigation thread. So far progress was made, but I'm still hit by this. Here's a list of programs I've tried out, installed, etc and their results:

  • Mozilla - Now my default browser, although I work in Eclipse and a PHP plugin opened up a preview page that reloaded my Hijacked search page.
     
  • ZoneAlarm - Now set up for some protection.
     
  • HijackThis - Every so often finds sp.html stuff that I try to clear up, although the sp.html file is never removed from my local settings folder, so I must do it manually.
     
  • CoolWebShredder - Cleaned up Searchx, but it also detects Jksearch every single time, and despite claiming to fix it, has not yet. From Merijn's site, it seems he's still working on solving this one.
     
  • Ad-Aware - Found and removed WildTangent.
     
  • Symantec Anti-Virus - Got latest update, ran a full system scan (793,674 files, 147 minutes), found nothing, although I've had 4 quarantined Trojan's and ByteVerify's sitting in there for about a year now. However, I saw a thread on Symantec's site here that mentions a lot of files in my .NET framework folder (see item 1 on that link) that I saw I had as well. Significant?
     
  • SpyBot - Here's the fun one. I run a scan, and it tends to stop 1/3 of the way through giving me a message: Error during check! Datei C:\WINNT\System32\drivers\etc\hosts kann nicht geoffnet werden. The process cannot access the file because it is being used by another process. That doesn't sound good, and the scan never completes.

This thing also broke my Notepad.exe initially, so I'm using Textpad in the meantime. I have a Notepad.exe and Notepad.exe.bak in my System32 folder now. Not sure if this is meaningful.

 

So now I've been hitting my System32 folder looking for menaces, checking the modified date. I've gotten rid of some random 6-character dll files that have recently been created, but my two biggest ones that seem to be related to this are:

  • zllictbl.dat, an 8kb hidden file that gets created on a restart, but can be deleted manually.
  • vsconfig.xml, a 335 byte file that gets created on a restart, and is apparently being used by an active process. It cannot be deleted except in Safe Mode. I'm not sure what this is related to, and it might not be malignant, but I'm not really sure.

vsconfig's contents look like this:

<?xml version="1.0"?>
<securitypolicy version="1">
<lockupinfo server="209.87.208.60" port="0" enable="true"/>
<startuphookafd wsockvermajor="0x00050001" wsockverminor="0x0a280000" enable="false"/>
<ruleset name="startupruleset" start="onstartup" stop="afterstartup">
 <firewall>
 </firewall>
</ruleset>
</securitypolicy>

 

I also managed to find out the website of the redirect I was getting on about:blank when my Eclipse fired up: http://s1di.d8t.biz/index.php?aid=20038

 

So I'm now in a position where I'm using Mozilla, but I'm not liking that the muckware is still living on my computer actively. SpyBot isn't working properly, either, and I have strange files hitting my computer's System32. The HijackThis log doesn't show anything sinister from what I can tell, though it shows a batch of sp.html R1's if I start IE and the muck is triggered. Here's the log regardless:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:23:33 PM, on 6/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

c:\apache\Apache.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\apache\Apache.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\apache\mysql\bin\mysqld-nt.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

c:\apache\APACHE.EXE

C:\WINNT\system32\ZoneLabs\vsmon.exe

c:\apache\APACHE.EXE

C:\Program Files\Winamp\winamp.exe

C:\Program Files\TextPad 4\TextPad.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7792.4374421296

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Bump, since it's been 5 days with no response or anything, and I've seen other issues get faster responses. I imagine this was just lost in the crush.

Share this post


Link to post
Share on other sites

You have a CoolWebSearch variant which requires special treatment to fix.

 

Download FindnFix.exe from here:

http://freeatlast100.100free.com/index.html or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

Share this post


Link to post
Share on other sites

You should understand I've become recently quite wary of running strange executables that make folders called 'junkxxx' and come from websites that sound like those I got hijacked to, but I trust in the 191 posts and 'Malware Support Mod'... :unsure:

 

And just to mention, while I believe the problematic malware is still on my machine, I think I've made it dormant or something, because Browser Hijack Blaster hasn't reported any hijack attempts for a couple days. I think it may have been because I opened the latest random dll file in my System32 (hbbch.dll) and the zllictbl.dat, opened them in Wordpad, deleted their contents, then made them read-only like I'd read in another post. They still seem to be empty, so maybe I beat em. However, just in case I can get rid of this thing completely, I ran the LOG batch file.

 

I can't seem to attach anything, so I uploaded the win.txt file somewhere so it could be linked

here.

 

 

(Log.txt)

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Tue 06/29/2004

9:01pm up 1 day, 2:47

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINNT\System32\LOGME.DLL +++ File read error

\\?\C:\WINNT\System32\LOGME.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

LOGME.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINNT\SYSTEM32\

hbbch.dll Mon Jun 28 2004 1:49:34p A...R 0 0.00 K

logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\HBBCH.DLL

Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group DREAMMACHINE\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: DREAMMACHINE\Dreamer

 

Primary Group: DREAMMACHINE\None

 

 

 

»»»»»»Backups created...»»»»»»

9:02pm up 1 day, 2:49

Tue 06/29/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-29-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-29-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

Windows

AppInit

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

=pswapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

 

**File C:\FINDnFIX\WIN.TXT

Edited by Dreamer

Share this post


Link to post
Share on other sites

Thank you for you confidence. FindnFix was created by one of the experts in this field as a means to remove the super hidden dll causing the about:blank infection. None of the available programs (AdAware, Spybot, SpySweeper, etc) can totally remove this exploit. FindnFix will remove the hidden.dll, CWShredder will remove the remainder of the exploit and then HiJackThis can remove what remains.

 

But enough, on to the next step...

 

=== Step 2 - Delete Hidden DLL ===

Open the FindnFix folder.

Open the keys1 folder.

 

If you receive an error while trying to edit, see below for instructions.

RightClick on the MOVEit.bat file, select--> edit.

Copy and paste this line into the batch file, replacing the line there.

 

move %WinDir%\System32\??????.DLL %SystemDrive%\junkxxx\LOGME.DLL

 

Save the file and close.

 

Get ready to restart!

Still in the keys1 folder, double click on FIX.bat.

You will get an alert of ~20 secs before reboot.

Allow it to reboot!

 

On restart, Open the FindnFix folder.

DoubleClick on RESTORE.bat.

When it is finished, open the FindnFix folder.

Post the contents of Log1.txt in this thread.

 

 

=== In the Event and Error Occurs Trying to Edit ===

Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

 

If that happens, follow these steps instead:

Open the FindnFix folder.

Open the keys1 folder.

 

Double click on FIX.bat

You will get an alert of about 15 seconds before reboot

Allow it to reboot!

 

On restart, open Explorer and navigate to C:\Windows\System32 folder

Find the ****.DLL file (it should be visible now)

Highlight the file and using top menu, click Edit --> Move to folder...

Select C:\junkxxx as destination.

Move the file.

 

Open the FINDnFIX folder again.

Double-click on RESTORE.bat

When it is finished, open the FindnFix folder.

Post the contents of Log1.txt in this thread.

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Wed 06/30/2004

2:46pm up 0 days, 0:08

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINNT\System32\LOGME.DLL +++ File read error

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

LOGME.DLL Can't Open!

 

»»»»»»» (3) »»»»»»»

 

C:\WINNT\SYSTEM32\

logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL

 

»»»*»»» Scanning for moved file... »»»*»»»

 

C:\JUNKXXX\

logme.222 Mon Jun 28 2004 1:49:34p A.... 0 0.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 0 bytes 0.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

**File C:\JUNKXXX\LOGME.222

**File C:\FINDnFIX\LIST.TXT

LOGME.DLL Can't Open!

 

move %WinDir%\System32\hbbch.dll %SystemDrive%\junkxxx\LOGME.DLL

 

 

--a-- - - - - - 0 06-28-2004 logme.222

A C:\junkxxx\LOGME.222

File: <C:\junkxxx\LOGME.222> CRC-32 : 00000000 MD5 : D41D8CD9 8F00B204 E9800998 ECF8427E

»»Permissions:

C:\junkxxx\LOGME.222 BUILTIN\Users:R

BUILTIN\Power Users:C

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

DREAMMACHINE\Dreamer:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: DREAMMACHINE\Dreamer

 

Primary Group: DREAMMACHINE\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

File "C:\junkxxx\LOGME.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000010 t--- 001301BF ---- DS-- rw+x BUILTIN\Power Users

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer

 

Owner: DREAMMACHINE\Dreamer

 

Primary Group: DREAMMACHINE\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINNT\\System32\\logme.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = C:\WINNT\System32\logme.dll

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLs2

**File C:\FINDnFIX\NEWWIN.TXT

Edited by Dreamer

Share this post


Link to post
Share on other sites

I left off a file name in th emove specification and unfortunately you msut have missed it and kept going. The file actually moved was also harmless so we are ok.

 

Delete FindFix folder, and c:\junkxxx if it exists.

 

Then we get to run the first part again as a check.

 

 

Download FindnFix.exe from here:

http://freeatlast100.100free.com/index.html or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

Share this post


Link to post
Share on other sites

win.txt can be downloaded

here

 

log.txt:

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

Wed 07/07/2004

3:31pm up 3 days, 16:35

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINNT\System32\LOGME.DLL +++ File read error

\\?\C:\WINNT\System32\LOGME.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

LOGME.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINNT\SYSTEM32\

jen.dll Sat Jul 3 2004 3:46:26p A...R 0 0.00 K

logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

nikalpg.dll Wed Jul 7 2004 2:29:18a A...R 0 0.00 K

obhfo.dll Sat Jul 3 2004 3:46:10p A...R 0 0.00 K

 

4 items found: 4 files, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

 

C:\WINNT\SYSTEM32\

logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\JEN.DLL

Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL

Sniffed -> C:\WINNT\SYSTEM32\NIKALPG.DLL

Sniffed -> C:\WINNT\SYSTEM32\OBHFO.DLL

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINNT\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... LOGME.DLL .....57344 17.06.2004

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group DREAMMACHINE\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINNT\

notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

No matches found.

 

C:\WINNT\SYSTEM32\DLLCACHE\

notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: DREAMMACHINE\Dreamer

 

Primary Group: DREAMMACHINE\None

 

 

 

»»»»»»Backups created...»»»»»»

3:33pm up 3 days, 16:37

Wed 07/07/2004

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-07-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-07-2004 winkey.reg

 

»»Performing string scan....

00001150: ?

00001190: vk UDeviceNo

000011D0:tSelectedTimeout 1 5 @ vk ' z

00001210:GDIProcessHandleQuota" 9 0 | vk X

00001250:Spooler2 y e s n vk =pswapdisk

00001290: 8 h vk ( R TransmissionRetryTimeout

000012D0: vk ' c USERProcessHandleQuota 8

00001310:h vk 8 H S AppInit_DLLs2 \ C :

00001350:\ W I N N T \ S y s t e m 3 2 \ l o g m e . d l l x

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- WIN.TXT

AppInit_DLLs2

--------------

--------------

yes

C:\WINNT\System32\logme.dll

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

 

**File C:\FINDnFIX\WIN.TXT

Share this post


Link to post
Share on other sites

=== Step 2 - Delete Hidden DLL ===

Open the FindnFix folder.

Open the keys1 folder.

 

If you receive an error while trying to edit, see below for instructions.

RightClick on the MOVEit.bat file, select--> edit.

Copy and paste this line into the batch file, replacing the line there.

 

move %WinDir%\System32\LOGME.DLL %SystemDrive%\junkxxx\LOGME.DLL

 

Save the file and close.

 

Get ready to restart!

Still in the keys1 folder, double click on FIX.bat.

You will get an alert of ~20 secs before reboot.

Allow it to reboot!

 

On restart, Open the FindnFix folder.

DoubleClick on RESTORE.bat.

When it is finished, open the FindnFix folder.

Post the contents of Log1.txt in this thread.

 

 

=== In the Event and Error Occurs Trying to Edit ===

Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

 

If that happens, follow these steps instead:

Open the FindnFix folder.

Open the keys1 folder.

 

Double click on FIX.bat

You will get an alert of about 15 seconds before reboot

Allow it to reboot!

 

On restart, open Explorer and navigate to C:\Windows\System32 folder

Find the ****.DLL file (it should be visible now)

Highlight the file and using top menu, click Edit --> Move to folder...

Select C:\junkxxx as destination.

Move the file.

 

Open the FINDnFIX folder again.

Double-click on RESTORE.bat

When it is finished, open the FindnFix folder.

Post the contents of Log1.txt in this thread.

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

 

Sat 07/10/2004

1:54am up 0 days, 0:01

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

C:\WINNT\SYSTEM32\

jen.dll Sat Jul 3 2004 3:46:26p A...R 0 0.00 K

nikalpg.dll Wed Jul 7 2004 2:29:18a A...R 0 0.00 K

obhfo.dll Sat Jul 3 2004 3:46:10p A...R 0 0.00 K

 

3 items found: 3 files, 0 directories.

Total of file sizes: 0 bytes 0.00 K

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\JEN.DLL

Sniffed -> C:\WINNT\SYSTEM32\NIKALPG.DLL

Sniffed -> C:\WINNT\SYSTEM32\OBHFO.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

»»»»»(5)»»»»»

**File C:\WINNT\SYSTEM32\DLLXXX.TXT

 

»»»*»»» Scanning for moved file... »»»*»»»

 

* result\\?\C:\JUNKXXX\LOGME.222

 

 

C:\JUNKXXX\

logme.222 Thu Jun 17 2004 11:34:10p A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\LOGME.222

 

**File C:\JUNKXXX\LOGME.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- LOGME .222 0000E000 23:34.10 17/06/2004

 

move %WinDir%\System32\LOGME.DLL %SystemDrive%\junkxxx\LOGME.DLL

 

 

 

--a-- W32i - - - - 57,344 06-17-2004 logme.222

A C:\junkxxx\LOGME.222

File: <C:\junkxxx\LOGME.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

»»Permissions:

C:\junkxxx\LOGME.222 Everyone:(special access:) SYNCHRONIZE

FILE_EXECUTE

 

NT AUTHORITY\SYSTEM:F

BUILTIN\Administrators:F

 

C:\junkxxx\LOGME.222 Everyone:(special access:) SYNCHRONIZE

FILE_EXECUTE

 

NT AUTHORITY\SYSTEM:F

BUILTIN\Administrators:F

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000009 --o- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 101F01FF ---A DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: DREAMMACHINE\Dreamer

 

Primary Group: DREAMMACHINE\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

File "C:\junkxxx\LOGME.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: DREAMMACHINE\Dreamer

 

Primary Group: DREAMMACHINE\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

»»Notepad check....

 

C:\WINNT\

notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

No matches found.

 

C:\WINNT\SYSTEM32\DLLCACHE\

notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

00001150: ?

00001190: vk UDeviceNo

000011D0:tSelectedTimeout 1 5 @ vk ' z

00001210:GDIProcessHandleQuota" 9 0 | vk X

00001250:Spooler2 y e s n vk =pswapdisk

00001290: 8 h vk ( R TransmissionRetryTimeout

000012D0: vk ' c USERProcessHandleQuota 8

00001310:h vk AppInit_DLLs T

00001350:

00001390:

000013D0:

00001410:

00001450: $ ( , 0 4 8 < @

00001490: D H L P T X \ `

000014D0: d h l p t x |

00001510:

00001550:

 

---------- WIN.TXT

AppInit_DLLs2

 

---------- NEWWIN.TXT

AppInit_DLLs

--------------

E.222

yes

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

00001338: 01 00 00 00 01 00 00 00 . 5F 44 4C 4C 73 00 00 0F ........ _DLLs...

**File C:\FINDnFIX\NEWWIN.TXT

Share this post


Link to post
Share on other sites

=== Step 3 Cleanup ===

Open the FindnFix folder.

Open the Files2 folder.

Double Click on the ZIPZAP.bat.

 

It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

 

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

 

Please be sure to include a link to your log file in the email.

 

When done, please delete the entire FindnFix folder.

 

=== Clean Remaining Infection ===

Please Download CoolWebShredder, from

http://www.merijn.org/files/cwshredder.zip

http://www.zerosrealm.com/downloads/CWShredder.zip

 

Extract CWShredder to its own folder,

Click the 'Fix ->' button.

Make sure you let it fix all CWS Remnants.

 

Next:

Download the latest version of Ad-Aware at

http://www.lavasoft.de/software/adaware/

 

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

 

Select 'custom options'.

Select your drive, scan and fix all it finds.

 

Last:

HiJackThis version 198.0 is now available.

If you do already have it installed, download it from here:

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Post a new HiJackThis log in this thread.

 

=== End CWS about:blank Removal ===

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 1:13:34 AM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

c:\apache\Apache.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\apache\mysql\bin\mysqld-nt.exe

C:\Program Files\Browser Hijack Blaster\bhblaster.exe

c:\apache\Apache.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

c:\apache\APACHE.EXE

c:\apache\APACHE.EXE

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Games\World of Warcraft\WoW.exe

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\PROGRA~1\DAP\DAP.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Shortcut to bhblaster.exe.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

Share this post


Link to post
Share on other sites

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites

I greatly appreciate all of your help. Should I now just delete these random 30kb dll files that were created from this?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0