Jump to content


Photo

Hijack; sp.html; Spybot affected


  • Please log in to reply
18 replies to this topic

#1 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 23 June 2004 - 06:56 PM

Got hijacked a week ago, tried to fix it in a myriad of different ways described here, including the long Investigation thread. So far progress was made, but I'm still hit by this. Here's a list of programs I've tried out, installed, etc and their results:
  • Mozilla - Now my default browser, although I work in Eclipse and a PHP plugin opened up a preview page that reloaded my Hijacked search page.
  • ZoneAlarm - Now set up for some protection.
  • HijackThis - Every so often finds sp.html stuff that I try to clear up, although the sp.html file is never removed from my local settings folder, so I must do it manually.
  • CoolWebShredder - Cleaned up Searchx, but it also detects Jksearch every single time, and despite claiming to fix it, has not yet. From Merijn's site, it seems he's still working on solving this one.
  • Ad-Aware - Found and removed WildTangent.
  • Symantec Anti-Virus - Got latest update, ran a full system scan (793,674 files, 147 minutes), found nothing, although I've had 4 quarantined Trojan's and ByteVerify's sitting in there for about a year now. However, I saw a thread on Symantec's site here that mentions a lot of files in my .NET framework folder (see item 1 on that link) that I saw I had as well. Significant?
  • SpyBot - Here's the fun one. I run a scan, and it tends to stop 1/3 of the way through giving me a message: Error during check! Datei C:\WINNT\System32\drivers\etc\hosts kann nicht geoffnet werden. The process cannot access the file because it is being used by another process. That doesn't sound good, and the scan never completes.
This thing also broke my Notepad.exe initially, so I'm using Textpad in the meantime. I have a Notepad.exe and Notepad.exe.bak in my System32 folder now. Not sure if this is meaningful.

So now I've been hitting my System32 folder looking for menaces, checking the modified date. I've gotten rid of some random 6-character dll files that have recently been created, but my two biggest ones that seem to be related to this are:
  • zllictbl.dat, an 8kb hidden file that gets created on a restart, but can be deleted manually.
  • vsconfig.xml, a 335 byte file that gets created on a restart, and is apparently being used by an active process. It cannot be deleted except in Safe Mode. I'm not sure what this is related to, and it might not be malignant, but I'm not really sure.
vsconfig's contents look like this:
<?xml version="1.0"?>
<securitypolicy version="1">
	<lockupinfo server="209.87.208.60" port="0" enable="true"/>
	<startuphookafd wsockvermajor="0x00050001" wsockverminor="0x0a280000" enable="false"/>
	<ruleset name="startupruleset" start="onstartup" stop="afterstartup">
  <firewall>
  </firewall>
	</ruleset>
</securitypolicy>

I also managed to find out the website of the redirect I was getting on about:blank when my Eclipse fired up: http://s1di.d8t.biz/...x.php?aid=20038

So I'm now in a position where I'm using Mozilla, but I'm not liking that the muckware is still living on my computer actively. SpyBot isn't working properly, either, and I have strange files hitting my computer's System32. The HijackThis log doesn't show anything sinister from what I can tell, though it shows a batch of sp.html R1's if I start IE and the muck is triggered. Here's the log regardless:


Logfile of HijackThis v1.97.7
Scan saved at 5:23:33 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
c:\apache\Apache.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\apache\Apache.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\apache\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\apache\APACHE.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
c:\apache\APACHE.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7792.4374421296
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 June 2004 - 12:46 PM

Bump, since it's been 5 days with no response or anything, and I've seen other issues get faster responses. I imagine this was just lost in the crush.

#3 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 05:57 PM

You have a CoolWebSearch variant which requires special treatment to fix.

Download FindnFix.exe from here:
http://freeatlast100....com/index.html or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#4 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 29 June 2004 - 08:12 PM

You should understand I've become recently quite wary of running strange executables that make folders called 'junkxxx' and come from websites that sound like those I got hijacked to, but I trust in the 191 posts and 'Malware Support Mod'... :unsure:

And just to mention, while I believe the problematic malware is still on my machine, I think I've made it dormant or something, because Browser Hijack Blaster hasn't reported any hijack attempts for a couple days. I think it may have been because I opened the latest random dll file in my System32 (hbbch.dll) and the zllictbl.dat, opened them in Wordpad, deleted their contents, then made them read-only like I'd read in another post. They still seem to be empty, so maybe I beat em. However, just in case I can get rid of this thing completely, I ran the LOG batch file.

I can't seem to attach anything, so I uploaded the win.txt file somewhere so it could be linked
here.


(Log.txt)


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Tue 06/29/2004
9:01pm up 1 day, 2:47

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


C:\WINNT\System32\LOGME.DLL +++ File read error
\\?\C:\WINNT\System32\LOGME.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
LOGME.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
hbbch.dll Mon Jun 28 2004 1:49:34p A...R 0 0.00 K
logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HBBCH.DLL
Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group DREAMMACHINE\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: DREAMMACHINE\Dreamer

Primary Group: DREAMMACHINE\None



»»»»»»Backups created...»»»»»»
9:02pm up 1 day, 2:49
Tue 06/29/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-29-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-29-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
fłAppInit_DLLsÖ?ęGĄ’’’C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuota

**File C:\FINDnFIX\WIN.TXT


Edited by Dreamer, 29 June 2004 - 08:13 PM.


#5 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 09:37 PM

Thank you for you confidence. FindnFix was created by one of the experts in this field as a means to remove the super hidden dll causing the about:blank infection. None of the available programs (AdAware, Spybot, SpySweeper, etc) can totally remove this exploit. FindnFix will remove the hidden.dll, CWShredder will remove the remainder of the exploit and then HiJackThis can remove what remains.

But enough, on to the next step...

=== Step 2 - Delete Hidden DLL ===
Open the FindnFix folder.
Open the keys1 folder.

If you receive an error while trying to edit, see below for instructions.
RightClick on the MOVEit.bat file, select--> edit.
Copy and paste this line into the batch file, replacing the line there.

move %WinDir%\System32\??????.DLL %SystemDrive%\junkxxx\LOGME.DLL

Save the file and close.

Get ready to restart!
Still in the keys1 folder, double click on FIX.bat.
You will get an alert of ~20 secs before reboot.
Allow it to reboot!

On restart, Open the FindnFix folder.
DoubleClick on RESTORE.bat.
When it is finished, open the FindnFix folder.
Post the contents of Log1.txt in this thread.


=== In the Event and Error Occurs Trying to Edit ===
Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, follow these steps instead:
Open the FindnFix folder.
Open the keys1 folder.

Double click on FIX.bat
You will get an alert of about 15 seconds before reboot
Allow it to reboot!

On restart, open Explorer and navigate to C:\Windows\System32 folder
Find the ****.DLL file (it should be visible now)
Highlight the file and using top menu, click Edit --> Move to folder...
Select C:\junkxxx as destination.
Move the file.

Open the FINDnFIX folder again.
Double-click on RESTORE.bat
When it is finished, open the FindnFix folder.
Post the contents of Log1.txt in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#6 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 30 June 2004 - 01:44 PM

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Wed 06/30/2004
2:46pm up 0 days, 0:08

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s)...

»»»»»»» (1) »»»»»»»
\\?\C:\WINNT\System32\LOGME.DLL +++ File read error

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT
LOGME.DLL Can't Open!

»»»»»»» (3) »»»»»»»

C:\WINNT\SYSTEM32\
logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL

»»»*»»» Scanning for moved file... »»»*»»»

C:\JUNKXXX\
logme.222 Mon Jun 28 2004 1:49:34p A.... 0 0.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 0 bytes 0.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

**File C:\JUNKXXX\LOGME.222
**File C:\FINDnFIX\LIST.TXT
LOGME.DLL Can't Open!

move %WinDir%\System32\hbbch.dll %SystemDrive%\junkxxx\LOGME.DLL


--a-- - - - - - 0 06-28-2004 logme.222
A C:\junkxxx\LOGME.222
File: <C:\junkxxx\LOGME.222> CRC-32 : 00000000 MD5 : D41D8CD9 8F00B204 E9800998 ECF8427E
»»Permissions:
C:\junkxxx\LOGME.222 BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DREAMMACHINE\Dreamer:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: DREAMMACHINE\Dreamer

Primary Group: DREAMMACHINE\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\LOGME.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000010 t--- 001301BF ---- DS-- rw+x BUILTIN\Power Users
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer

Owner: DREAMMACHINE\Dreamer

Primary Group: DREAMMACHINE\None


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINNT\\System32\\logme.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINNT\System32\logme.dll

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
fłAppInit_DLLsÖ?ęGĄ’’’C

---------- NEWWIN.TXT
AppInit_DLLs2
**File C:\FINDnFIX\NEWWIN.TXT

Edited by Dreamer, 30 June 2004 - 01:48 PM.


#7 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 04 July 2004 - 01:12 AM

So... what now? :whistle:

#8 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 04 July 2004 - 01:34 AM

I left off a file name in th emove specification and unfortunately you msut have missed it and kept going. The file actually moved was also harmless so we are ok.

Delete FindFix folder, and c:\junkxxx if it exists.

Then we get to run the first part again as a check.


Download FindnFix.exe from here:
http://freeatlast100....com/index.html or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#9 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 12:41 AM

Hmm, both links are down.

#10 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 07 July 2004 - 12:51 AM

They will be up later.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#11 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 02:36 PM

win.txt can be downloaded
here

log.txt:


»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

Wed 07/07/2004
3:31pm up 3 days, 16:35

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINNT\System32\LOGME.DLL +++ File read error
\\?\C:\WINNT\System32\LOGME.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
LOGME.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
jen.dll Sat Jul 3 2004 3:46:26p A...R 0 0.00 K
logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K
nikalpg.dll Wed Jul 7 2004 2:29:18a A...R 0 0.00 K
obhfo.dll Sat Jul 3 2004 3:46:10p A...R 0 0.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K


C:\WINNT\SYSTEM32\
logme.dll Thu Jun 17 2004 11:34:10p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\JEN.DLL
Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL
Sniffed -> C:\WINNT\SYSTEM32\NIKALPG.DLL
Sniffed -> C:\WINNT\SYSTEM32\OBHFO.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\LOGME.DLL

»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
Æ Access denied ® ..................... LOGME.DLL .....57344 17.06.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group DREAMMACHINE\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: DREAMMACHINE\Dreamer

Primary Group: DREAMMACHINE\None



»»»»»»Backups created...»»»»»»
3:33pm up 3 days, 16:37
Wed 07/07/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-07-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-07-2004 winkey.reg

»»Performing string scan....
00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' c USERProcessHandleQuota 8
00001310:h vk 8 H S AppInit_DLLs2 \ C :
00001350:\ W I N N T \ S y s t e m 3 2 \ l o g m e . d l l x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLs2
--------------
--------------
yes
C:\WINNT\System32\logme.dll
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""


**File C:\FINDnFIX\WIN.TXT

#12 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 07 July 2004 - 03:10 PM

=== Step 2 - Delete Hidden DLL ===
Open the FindnFix folder.
Open the keys1 folder.

If you receive an error while trying to edit, see below for instructions.
RightClick on the MOVEit.bat file, select--> edit.
Copy and paste this line into the batch file, replacing the line there.

move %WinDir%\System32\LOGME.DLL %SystemDrive%\junkxxx\LOGME.DLL

Save the file and close.

Get ready to restart!
Still in the keys1 folder, double click on FIX.bat.
You will get an alert of ~20 secs before reboot.
Allow it to reboot!

On restart, Open the FindnFix folder.
DoubleClick on RESTORE.bat.
When it is finished, open the FindnFix folder.
Post the contents of Log1.txt in this thread.


=== In the Event and Error Occurs Trying to Edit ===
Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, follow these steps instead:
Open the FindnFix folder.
Open the keys1 folder.

Double click on FIX.bat
You will get an alert of about 15 seconds before reboot
Allow it to reboot!

On restart, open Explorer and navigate to C:\Windows\System32 folder
Find the ****.DLL file (it should be visible now)
Highlight the file and using top menu, click Edit --> Move to folder...
Select C:\junkxxx as destination.
Move the file.

Open the FINDnFIX folder again.
Double-click on RESTORE.bat
When it is finished, open the FindnFix folder.
Post the contents of Log1.txt in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#13 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 10 July 2004 - 12:58 AM

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Sat 07/10/2004
1:54am up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

C:\WINNT\SYSTEM32\
jen.dll Sat Jul 3 2004 3:46:26p A...R 0 0.00 K
nikalpg.dll Wed Jul 7 2004 2:29:18a A...R 0 0.00 K
obhfo.dll Sat Jul 3 2004 3:46:10p A...R 0 0.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K

No matches found.

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\JEN.DLL
Sniffed -> C:\WINNT\SYSTEM32\NIKALPG.DLL
Sniffed -> C:\WINNT\SYSTEM32\OBHFO.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



»»»»»(5)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT

»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\JUNKXXX\LOGME.222


C:\JUNKXXX\
logme.222 Thu Jun 17 2004 11:34:10p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\LOGME.222

**File C:\JUNKXXX\LOGME.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.

A----- LOGME .222 0000E000 23:34.10 17/06/2004

move %WinDir%\System32\LOGME.DLL %SystemDrive%\junkxxx\LOGME.DLL



--a-- W32i - - - - 57,344 06-17-2004 logme.222
A C:\junkxxx\LOGME.222
File: <C:\junkxxx\LOGME.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
»»Permissions:
C:\junkxxx\LOGME.222 Everyone:(special access:) SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

C:\junkxxx\LOGME.222 Everyone:(special access:) SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x DREAMMACHINE\Dreamer
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000009 --o- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: DREAMMACHINE\Dreamer

Primary Group: DREAMMACHINE\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\LOGME.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: DREAMMACHINE\Dreamer

Primary Group: DREAMMACHINE\None


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Notepad check....

C:\WINNT\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' c USERProcessHandleQuota 8
00001310:h vk AppInit_DLLs T
00001350:
00001390:
000013D0:
00001410:
00001450: $ ( , 0 4 8 < @
00001490: D H L P T X \ `
000014D0: d h l p t x |
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLs2

---------- NEWWIN.TXT
AppInit_DLLs
--------------
E.222
yes
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 00 00 . 5F 44 4C 4C 73 00 00 0F ........ _DLLs...
**File C:\FINDnFIX\NEWWIN.TXT

#14 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 10 July 2004 - 01:07 AM

=== Step 3 Cleanup ===
Open the FindnFix folder.
Open the Files2 folder.
Double Click on the ZIPZAP.bat.

It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to your log file in the email.

When done, please delete the entire FindnFix folder.

=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.or.../cwshredder.zip
http://www.zerosreal.../CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp....dref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

Last:
HiJackThis version 198.0 is now available.
If you do already have it installed, download it from here:
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Post a new HiJackThis log in this thread.

=== End CWS about:blank Removal ===
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#15 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 11 July 2004 - 12:13 AM

Logfile of HijackThis v1.98.0
Scan saved at 1:13:34 AM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
c:\apache\Apache.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\apache\mysql\bin\mysqld-nt.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
c:\apache\Apache.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Games\World of Warcraft\WoW.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to bhblaster.exe.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gate...//PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB

#16 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 11 July 2004 - 12:22 AM

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#17 Dreamer

Dreamer

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 July 2004 - 11:03 AM

I greatly appreciate all of your help. Should I now just delete these random 30kb dll files that were created from this?

#18 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 12 July 2004 - 11:45 AM

Yes, youi may delete them all.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#19 tanya_u

tanya_u

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 July 2004 - 04:47 AM

Hi

Edited by tanya_u, 28 July 2004 - 04:55 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button