[Solved] notepad gone - trojan (merged)

Discussion in 'adware, spyware & hijack cleaning' started by kukuku, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    (Mod Note: Member has posted a more recent hijackthis log, which has been merged into this current thread (see post #3) - snap)


    hi
    i tried to use notepad this morning but it's icon had changed and it wouldn't open. norton av had just detected and deleted a trojan (trojan.startpage) which i assume is connected to the notepad issue.
    i updated and ran
    adaware - nothing
    spybot - nothing
    cwshredder - removed CWS.Jksearch
    norton av scan with system restore disabled - nothing
    (the recent activity log in norton reads
    Source: C:\WINDOWS\System32\dlok.dll
    Source: C:\WINDOWS\System32\bhafomi.dll
    Source: C:\WINDOWS\System32\dhcofne.dll
    Source: C:\WINDOWS\System32\bkkff.dll
    Source: C:\WINDOWS\SYSTEM32\TELNET.EXE,Description: The file C:\WINDOWS\SYSTEM32\TELNET.EXE is infected with the Trojan.KillAV virus.
    Source: Parser.class,Description: The compressed file Parser.class within C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\IH4BQ1CP\loaderadv74[1].jar is infected with the Trojan.ByteVerify virus.
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\windows\system32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\SYSTEM32\telnet.exe
    Source: C:\WINDOWS\System32\telnet.exe
    Source: C:\WINDOWS\System32\telnet.exe
    Source: C:\WINDOWS\System32\telnet.exe
    Source: C:\WINDOWS\System32\telnet.exe
    Source: C:\WINDOWS\system32\telnet.exe
    Source: C:\WINDOWS\system32\telnet.exe
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\IH4BQ1CP\loadadv74[1].exe
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\IH4BQ1CP\loadadv74[1].exe
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\6U2DJWS6\adv74[1].php
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\ODZCYECJ\VerifierBug[1].class
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\V7DI6ENZ\BlackBox[1].class
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\RIXNL58Q\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\9OXCLZMU\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\6U2DJWS6\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\IH4BQ1CP\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\P80MK91Z\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\6U2DJWS6\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\V7DI6ENZ\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\6U2DJWS6\s2[1].js
    Source: C:\Documents and Settings\Feis\Local Settings\Temporary Internet Files\Content.IE5\IH4BQ1CP\s2[1].js)

    HiJack This Log
    Logfile of HijackThis v1.97.7
    Scan saved at 09:06:08, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccLgView.exe
    C:\Program Files\AOL 8.0a\waol.exe
    C:\Program Files\AOL 8.0a\shellmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\All Users\Documents\AOL Downloads\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.502025463
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.35.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{452E623E-FA97-4BC3-B9F2-ACD87D329DCA}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CS1\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.35.134


    How does it look? And, how do i get notepad back?
    Also, should i disable sys restore when running adaware etc?

    Many thanks
    Ben
    UPDATE
    There is definitely problem. The computer was running very slow so i restarted and when i came back online i got 16 pop-ups about bugs/parasites/free online scans etc. They only stopped because i reached the max windows open. IE home page changed to about:blank.
    Any help gratefully appreciated.
    Ben
    UPDATE
    I have re-run adaware (13 items removed) and spybot (all clear). Hijack log
    Logfile of HijackThis v1.97.7
    Scan saved at 11:01:29, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Documents and Settings\All Users\Documents\AOL Downloads\Spyware\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.502025463
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Home page is back to normal but notepad is still broken. Any idea how to fix it?
    Thanks
    ben
     
    Last edited by a moderator: Jul 5, 2004
  2. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan

    UPDATE
    i haven't had pop-ups again after running adaware but would like confirmation on my recent hijack log.
    re notepad. i renamed notepad.exe.bak to notepad.exe in the WINDOWS folder and pointed the target to this file. it now works!
    can anyone shed any light on what happened to cause this? as i fixed it by pure luck can anyone confirm i haven't done any damage...
    thanks
    ben
     
  3. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    home page reset to about:blank - hijack log

    hi

    well i thought i had fixed this but no. page keeps being reset to about:blank. computer is very slow and i have been getting kicked offline occasionally.

    many thanks for any help offered. i have been sat here for hours trying to sort it.

    ben




    Logfile of HijackThis v1.97.7
    Scan saved at 16:03:47, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AOL 8.0a\waol.exe
    C:\Program Files\AOL 8.0a\shellmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\All Users\Documents\AOL Downloads\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {B8BB693E-AAE5-4FD0-945C-177DBCCFE2D9} - C:\WINDOWS\System32\iaaega.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.502025463
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.48.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{452E623E-FA97-4BC3-B9F2-ACD87D329DCA}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CS1\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.48.134
     
  4. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  5. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: home page reset to about:blank - hijack log

    hi snapdragin

    yes it is the same computer. i posted anew because i thought i had the problem licked...and said so in the previous post! sorry.

    i have been at this all day now. i've done a lot of searching around
    i tried this...
    http://www.spywareinfoforum.com/~merijn/cwschronicles.html#realyellowpage
    but couldn't find the .dll.
    and other sites require the recovery console from the xp disc which is in an office on the island of Lewis and i am here in Edinburgh (Scotland).
    If you or anyone can help it'd be much appreciated as this is my work laptop and it is almost at a standstill.
    Kind regards
    ben
     
  6. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Hi kukuku,

    I have merged your two most recent threads together. I won't merge them with your other thread (now marked solved) as it looks like you have a new CWS infection.

    You can try following this fix Pieter Arntz has posted:
    Another about:blank variant: https://www.wilderssecurity.com/showthread.php?t=28658&page=2
    Scroll down to post #27

    And also make sure you have the most recent version of AdAware & Spybot Search & Destroy and they are updated.
    Download links and instructions can be found here

    Post back the results here in this thread along with a new log.

    Regards,

    snap
     
  7. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi
    i followed the instructions but...
    when i highlighted the explorer.exe in apm the bho i had fixed from the hijack this log wasn't there so i couldn't unload the dll.
    i rebooted then ran adaware (13items)/spybot(allclear).
    hijack log below

    Logfile of HijackThis v1.97.7
    Scan saved at 18:48:25, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AOL 8.0a\waol.exe
    C:\Program Files\AOL 8.0a\shellmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\All Users\Documents\AOL Downloads\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.502025463
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.34.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{452E623E-FA97-4BC3-B9F2-ACD87D329DCA}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CS1\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.34.134

    i can see the about:blank r1 is back so i guess the bho i couldn't find had changed its name?
    the bho i "fixed" previously was
    O2 - BHO: (no name) - {B8BB693E-AAE5-4FD0-945C-177DBCCFE2D9} - C:\WINDOWS\System32\iaaega.dll
    but there definitely wasn't a filed named that in the apm window.

    thanks in advance for advice
    ben
     
  8. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi
    my home page has changed back to about:blank.
    i ran a housecall scan - found 3 items

    Troj Strtpage.IX - Non-cleanable - C:\Documents and Settings\All Users\Documents\AOLDownloads\Spyware\backup-20040705-181222-970.dll

    Troj Strtpage.IX - Non-cleanable - c:\System Volume Information\_restore{987EO331-OFO1-427C-A58A-7A2E4AABF84D}\RP181-A0035736.dll

    Troj Strtpage.IX - CanNotAccess - C:\WINDOWS\System32\hajfeda.dll

    My computer is very slow/standstill. I repeatedly receive a message that Virtual Memory Minimum Is Too Low.

    Many thanks for any advice given.

    ben
     
  9. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Hi Ben,

    Could you post another log for me, please?

    Regards,

    snap
     
  10. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap
    sorry it took so long. it is taking minutes just to move between screens at the moment!

    regards
    ben

    Logfile of HijackThis v1.97.7
    Scan saved at 11:20:36, on 06/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AOL 8.0a\waol.exe
    C:\Program Files\AOL 8.0a\shellmon.exe
    C:\Documents and Settings\All Users\Documents\AOL Downloads\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Feis\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0A2F50B2-F718-4FCC-999D-5EF12D0C10B4} - C:\WINDOWS\System32\hajfeda.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.502025463
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.50.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{452E623E-FA97-4BC3-B9F2-ACD87D329DCA}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CS1\Services\Tcpip\..\{056344A9-A811-4CAF-B3C6-7516D3A10F57}: NameServer = 195.93.50.134
     
  11. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Hi Ben,

    This will take couple of steps to fix. Be sure to follow the each set of steps carefully, in the exact order specified:

    Make sure you have Hidden Files and Folders Viewable
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab. Under the "Hidden files and folders" heading, select Show hidden files and folders. UN-check the "Hide protected operating system files (recommended)" option. Then click Yes.

    If you have not done so already, download and install AdAware6.
    Download links and instructions can be found here
    Make sure you have the most recent Reference file update: Reference Number : 01R327 05.07.2004 if not higher.

    Then reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Scan with AdAware while in safe mode, then reboot your computer normally.

    Next Step:

    Download FINDnFIX.exe (2K/XP only!) by freeatlast, from here:
    http://freeatlast100.100free.com/index.html

    Double-Click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system.

    Open the FINDnFIX folder and double click on !LOG!.bat
    IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FINDnFIX folder.

    The program will generate a Log.txt file, but this takes a few minutes for it to collect the necessary information.

    When the program is finished running, open the FINDnFIX folder, and find the Log.txt file.
    Post the contents of Log.txt in your next reply.

    Note:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

    (there will be a few more steps to follow once I see the Log.txt)

    Regards,

    snap
     
  12. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap
    i followed your instructions. here is the log. just as i was rebooting into safe mode i noticed a new icon on my desktop - desktop.ini. adaware found 17 items - all removed.

    regards
    ben

    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q822925-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    06/07/2004
    1:27pm up 0 days, 0:09

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\MSJ.DLL +++ File read error
    \\?\C:\WINDOWS\System32\MSJ.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    MSJ.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    msj.dll Mon 5 Jul 2004 7:18:26 A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\MSJ.DLL


    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... MSJ.DLL .....57344 05.07.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group D6W0BS0J\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Sat 3 Jul 2004 11:13:58 A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Sat 3 Jul 2004 11:13:58 A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 07-03-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x D6W0BS0J\Feis
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: D6W0BS0J\Feis

    Primary Group: D6W0BS0J\None



    »»»»»»Backups created...»»»»»»
    1:29pm up 0 days, 0:11
    06/07/2004

    A C:\FINDnFIX\winBack.hiv
    --a-- - - - - - 8,192 07-06-2004 winback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-06-2004 winkey.reg

    »»Performing string scan....
    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 @ vk ' z
    00001210:GDIProcessHandleQuota" 9 0 | vk X
    00001250:Spooler2 y e s n vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' i USERProcessHandleQuotai 8
    00001310:h vk 8 H N AppInit_DLLsA N C :
    00001350:\ W I N D O W S \ S y s t e m 3 2 \ m s j . d l l P x
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    AppInit_DLLsA
    --------------
    --------------
    yes
    C:\WINDOWS\System32\msj.dll
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""


    **File C:\FINDnFIX\WIN.TXT
            Ðÿÿÿvk  à   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @  ° Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ¸| àÿÿÿvk  X   °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk  €   =pswapdisk ° ø 8 h * Ðÿÿÿvk  (   R¿TransmissionRetryTimeoutÐÿÿÿvk  €'   i USERProcessHandleQuotai àÿÿÿ° ø 8 h * Ð  Øÿÿÿvk 8 H   N AppInit_DLLsA N ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s j . d l l Px
    
     
  13. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Hi Ben, (sorry, my connections slow at the moment)

    Well, we found the culprit .dll (MSJ.DLL ) so on to the next step:

    Open the FindnFix folder.
    Open the keys1 folder.


    Locate the MOVEit.bat file, and Right-Click on it and select --> "edit". The file will open as empty text file.
    Copy and paste the bolded line below (all of it) into the the blank 'MOVEit' file (if there is any text there, then be sure to Replace the text in the file with
    the command below).

    move %WinDir%\System32\MSJ.DLL %SystemDrive%\junkxxx\MSJ.DLL

    Save the file and close.

    (This next step will cause a restart of your computer)
    While still in the 'keys1 folder', Double-Click on the FIX.bat file.
    You will get an Alert to restart in about 15 seconds.
    Allow it to restart the computer!

    On restart, go to the FindnFix folder again.
    Double-Click on the RESTORE.bat file and let it run.
    When it is finished, it will have created a 'Log1.txt' file in the FINDnFIX folder.
    Find the Log1.txt file, open it, and copy & past its contents here in your next post.

    =====
    Note:
    Occasionally when trying to edit the MOVEit.bat file the following error occurs:
    "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

    If you get that error, then follow the alternate steps below:

    Open the FindnFix folder.
    Open the keys1 folder.

    Double click on FIX.bat
    You will get an alert of about 15 seconds before reboot. Allow it to reboot!

    On restart, open Explorer and navigate to C:\Windows\System32 folder
    Find the MSJ.DLL file (it should be visible now)
    Highlight the file and using top menu, click Edit --> Move to folder...
    Select C:\junkxxx as destination.
    And move the MSJ.DLL file there..

    Open the FINDnFIX folder again.
    Double-click on RESTORE.bat
    When it is finished, it will have created a 'Log1.txt' file in the FINDnFIX folder.
    Find the Log1.txt file, open it, and copy & paste its contents here in your next reply.

    =====

    Regards,

    snap
     
    Last edited: Jul 9, 2004
  14. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap

    not so successful this time!
    when i right click the MOVEit.bat file and select "edit"
    i get a message as follows
    windows cannot find c:\FINDnFIX\Keys1\MOVEit.bat. make sure you typed the name correctly, and then try again.

    because it is a text file could my problems with notepad be an issue here?

    regards
    ben
     
  15. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap

    sorry just read through to the bottom of your last post. i'll do it that way.

    ben
     
  16. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Hi Ben,

    Try the alternative steps as I've posted above under Note

    Let me know how it goes.

    Regards,

    snap
     
  17. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap

    the alternative method worked!

    regards
    ben

    log -

    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    06/07/2004
    2:16pm up 0 days, 0:05

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q822925-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»*»»» Scanning for moved file... »»»*»»»
    * result\\?\C:\JUNKXXX\MSJ.222


    C:\JUNKXXX\
    msj.222 Mon 5 Jul 2004 7:18:26 A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\JUNKXXX\MSJ.222

    **File C:\JUNKXXX\MSJ.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- MSJ .222 0000E000 07:18.26 05/07/2004

    rem replace this entire line with your given command...



    --a-- W32i - - - - 57,344 07-05-2004 msj.222
    A C:\junkxxx\msj.222
    File: <C:\junkxxx\msj.222>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    »»Permissions:
    C:\junkxxx\msj.222 BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    D6W0BS0J\Feis:F
    BUILTIN\Users:R

    Directory "C:\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x D6W0BS0J\Feis
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000009 --o- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: D6W0BS0J\Feis

    Primary Group: D6W0BS0J\None

    Directory "C:\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: BUILTIN\Administrators

    File "C:\junkxxx\msj.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x D6W0BS0J\Feis
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

    Owner: D6W0BS0J\Feis

    Primary Group: D6W0BS0J\None


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Sat 3 Jul 2004 11:13:58 A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Sat 3 Jul 2004 11:13:58 A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 07-03-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 @ vk ' z
    00001210:GDIProcessHandleQuota" 9 0 | vk X
    00001250:Spooler2 y e s n vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' i USERProcessHandleQuotai 8
    00001310:h vk { AppInit_DLLs
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    AppInit_DLLsA

    ---------- NEWWIN.TXT
    AppInit_DLLsÿÿÿÿ¸
    --------------
    \WINDOWS\S
    yes
    **File C:\FINDnFIX\NEWWIN.TXT
    **File C:\FINDnFIX\NEWWIN.TXT
    00001338: 01 00 00 00 01 00 7B 00 . 5F 44 4C 4C 73 FF FF FF ......{. _DLLsÿÿÿ
    **File C:\FINDnFIX\NEWWIN.TXT
            Ðÿÿÿvk  à   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @  ° Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ¸| àÿÿÿvk  X   °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk  €   =pswapdisk ° ø 8 h * Ðÿÿÿvk  (   R¿TransmissionRetryTimeoutÐÿÿÿvk  €'   i USERProcessHandleQuotai àÿÿÿ° ø 8 h * Ð  Øÿÿÿvk  €   { AppInit_DLLsÿÿÿÿ¸  € * 0À0À"PÀ2PÀÀ p P € ` € p ° ° * À ð    0 @ P ` p €  * ° À Ð à ð    0 @ P ` p €  * ° À Ð à ð    0 @ P ` p €  * ° À Ð à ð    0 ` @ ` p €  * ° À Ð à € ð   0 @ P à ` €  * p þ Œ[qù`H7Ø  0 @ P Ð ` €  * ° À Ð à ð  * p  @ P ` p € ð  À Ð à ð    0 @ P ` p €  * ° À Ð à ð  0 @ P ` p € * ° À Ð à ð
     
  18. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Good stuff, Ben!

    We're almost done. :D

    Open the FINDnFIX folder again, then open the Files2 folder. Double-click on the ZIPZAP.bat file.
    It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip).

    When the above is done, restart your computer, then delete the entire FINDnFIX folder and files. Delete the C:\junkxxx folder too, as part of the cleanup.

    Make sure you have the most recent version of CWShredder v.1.59.01.
    Close ALL browsers and any open windows or programs before running CWShredder.
    Unzip the program, double-click the CWShredder.exe to open it, then click the *Fix button (not the scan button) and follow the instructions you will receive when the program runs.

    Restart your computer after running CWShredder, and do another scan with HijackThis. Post a new log here so we can clean up anything left over.

    Regards,

    snap
     
  19. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap
    here is the new log. the updater for cwshredder hasn't been working for me for a few days so i dloaded it again in its newest version. i still have a desktop.ini icon on my desktop. can i delete that? what is it?

    kind regards
    ben


    Logfile of HijackThis v1.97.7
    Scan saved at 15:08:04, on 06/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\AOL 8.0a\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Documents and Settings\All Users\Documents\AOL Downloads\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
    O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.502025463
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  20. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: notepad gone - trojan (merged)

    Ben, your log is clean. Great work! :D

    I've heard of that happening, a desktop.ini just suddenly showing up, but I can't remember what I read about it, or what to do with it. For now, just leave it there, and I'll try and do some more searching about it and I'll post back here what information I find.

    These few entries not bad and optional to fix, but they will save you some resources if they do not start up when you boot up your computer
    If you choose to fix them, then place a check beside them in Hijackthis and with ALL browsers closed, click *Fixed checked:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    Then once you are sure your system is clean, turn off System Restore, then reboot your computer to purge old restore points to remove any infection that would have been backed up in there: System Restore Instructions for XP. Remember to re-enable System Restore after a reboot, and set a new Restore Point.

    Here are some steps to follow to help tighten your security and prevent future infection:
    Why did I get infected in the first place?

    And make sure to visit Microsoft's Update Site and keep your Critical Updates for both XP and IE6 up-todate.

    Regards,

    snap
     
  21. kukuku

    kukuku Registered Member

    Joined:
    Apr 1, 2004
    Posts:
    20
    Re: notepad gone - trojan (merged)

    hi snap

    thank you so much for your guidance. the computer is back to normal now.

    kind regards
    ben :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.