Help, About:Blank Hijack!

Homepage keeps reseting to About:Home, and really starting to slow down my IE6. I am getting tons of pop-ups and can't seem to get rid of it. Someone please help.


Logfile of HijackThis v1.98.0
Scan saved at 3:52:04 AM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\tjzsfou.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jay\My Documents\My Pictures\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {4E8F307C-976F-5ECD-D054-6D550AA7296D} - C:\WINDOWS\System32\vdfoi.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F2A5B51E-1538-4CF3-A119-D9F770D040D2} - C:\WINDOWS\System32\iaeald.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll
O18 - Filter: text/plain - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll

 

/bump

 

Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

Double Click on the FindnFix.exe you downloaded earlier and it will install into its own folder.
That folder should be C:\FINDnFIX
Browse to the folder
Close all other open windows.
Run (double click on) the !LOG!.bat file

Have a coffee

When it's done:
From the FindnFix folder.
- Post (paste) the contents of Log.txt in this thread.

 

Here it is.

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
Due to errors on various message boards I made some changes.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
If you make a mistake or use the wrong guidance, it is completely
your responsibility and the helper that assists you.
If you are not sure about the nature of the file or how
to proceed, I suggest you research it first before attempting
to remove any *unknown file on your own.
*For Helpers and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894-Q831167
The type of the file system is NTFS.
C: is not dirty.

Sun 07/11/2004
4:43pm up 0 days, 20:52

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\WDMB.DLL +++ File read error
* result\\?\C:\WINDOWS\System32\COMJBA.DLL
* result\\?\C:\WINDOWS\System32\COMK.DLL
* result\\?\C:\WINDOWS\System32\KBDHMHK.DLL
* result\\?\C:\WINDOWS\System32\RES.DLL
* result\\?\C:\WINDOWS\System32\SQL.DLL
* result\\?\C:\WINDOWS\System32\SQLG.DLL
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
WDMB.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
wdmb.dll Wed Jul 7 2004 3:17:48a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WDMB.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... WDMB.DLL .....57344 07.07.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINDOWS\SYSTEM32\
comjba.dll Sat Jul 10 2004 7:44:14p A.... 57,344 56.00 K
comk.dll Sat Jul 10 2004 10:19:58p A.... 57,344 56.00 K
kbdhmhk.dll Sat Jul 10 2004 5:00:54p A.... 57,344 56.00 K
res.dll Sat Jul 10 2004 7:46:02p A.... 57,344 56.00 K
sql.dll Sat Jul 10 2004 7:47:02p A.... 57,344 56.00 K
sqlg.dll Sat Jul 10 2004 4:57:26p A.... 57,344 56.00 K
wdmb.dll Wed Jul 7 2004 3:17:48a A...R 57,344 56.00 K

7 items found: 7 files, 0 directories.
Total of file sizes: 401,408 bytes 392.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\COMJBA.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\COMK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\KBDHMHK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RES.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SQL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SQLG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDMB.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group JAY\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
4:44pm up 0 days, 20:54
Sun 07/11/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-11-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-11-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Sun Jul 11 2004 5:22:52a .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: vk : f AppInit_
000011D0LLs G C : \ W I N D O W S \ S y s t e m 3 2 \ w d m b . d
00001210:l l t vk P UDeviceNotSelectedTimeout
00001250: 1 5 @ 9 0 | vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s n
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' F USERProcessHandleQuotaAcx
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fùAppInit_DLLsÖæGÀÿÿÿC
--------------
--------------
C:\WINDOWS\System32\wdmb.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\wdmb.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 77 00 64 00 6d 00 62 00 | m.3.2.\.w.d.m.b.
0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...


 

The worst culprit is C:\WINDOWS\System32\wdmb.dll

This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:

1.) Take the machine off line so it can make no connection to the internet
*Get ready to restart your computer.
- Open the FINDnFIX\Keys1< Subfolder And
DoubleClick on the "FIX.bat" file.
-You will get a prompt preparing for auto-restart in 15 seconds.
-Let it restart!
--------------------------------------------------------------------------
2.)
On restart, Go to Start/Search, and find:
wdmb.dll (Should be in System32 folder)
-When found, select the "wdmb.dll" file (as it should be visible)
And use the folder's top menu:
edit>......move to folder>... (From the search results)
Scroll and Select the following path as destination:
-> C:\ -> FINDnFIX... -> Click once to expand, and select the
->...junkxxx Subfolder as final destination, and move
the "wdmb.dll" into that Subfolder.(C:\FINDnFIX\junkxxx)
(you might get a prompt about 'read-only' file -Simply 'ok' it!)
--------------------------------------------------------------


Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Reboot to SAFE mode
How to start the computer in Safe mode

3) Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4E8F307C-976F-5ECD-D054-6D550AA7296D} - C:\WINDOWS\System32\vdfoi.dll
O2 - BHO: (no name) - {F2A5B51E-1538-4CF3-A119-D9F770D040D2} - C:\WINDOWS\System32\iaeald.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O18 - Filter: text/html - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll
O18 - Filter: text/plain - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll

Run CWShredder if you have it

Reboot normally

4.)
When done, Open the C:\FINDnFIX folder and
Run the "RESTORE.bat" file ,
It should run and generate new log (log1.txt)
Put the machine back on line if you have only the one.
Post it here so I can check - then we'll move on to the next steps
===================================================
*Note:
Do not change/move around or
tamper with any of the file(s) folder(s) and path
included in the 'FINDnFIX' folder.

 

ok here is the "RESTORE.bat" file



»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Sun 07/11/2004
6:40pm up 0 days, 0:00

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»
* result\\?\C:\WINDOWS\System32\COMJBA.DLL
* result\\?\C:\WINDOWS\System32\COMK.DLL
* result\\?\C:\WINDOWS\System32\KBDHMHK.DLL
* result\\?\C:\WINDOWS\System32\RES.DLL
* result\\?\C:\WINDOWS\System32\SQL.DLL
* result\\?\C:\WINDOWS\System32\SQLG.DLL

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(5)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»»»»» Search by size...


C:\WINDOWS\SYSTEM32\
comjba.dll Sat Jul 10 2004 7:44:14p A.... 57,344 56.00 K
comk.dll Sat Jul 10 2004 10:19:58p A.... 57,344 56.00 K
kbdhmhk.dll Sat Jul 10 2004 5:00:54p A.... 57,344 56.00 K
res.dll Sat Jul 10 2004 7:46:02p A.... 57,344 56.00 K
sql.dll Sat Jul 10 2004 7:47:02p A.... 57,344 56.00 K
sqlg.dll Sat Jul 10 2004 4:57:26p A.... 57,344 56.00 K

6 items found: 6 files, 0 directories.
Total of file sizes: 344,064 bytes 336.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\COMJBA.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\COMK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\KBDHMHK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RES.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SQL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SQLG.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\FINDnFIX\junkxxx\WDMB.222


C:\FINDNFIX\JUNKXXX\
wdmb.222 Wed Jul 7 2004 3:17:48a A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\WDMB.222

**File C:\FINDNFIX\JUNKXXX\WDMB.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

A----- WDMB .222 0000E000 03:17.48 07/07/2004

--a-- W32i - - - - 57,344 07-07-2004 wdmb.222
A C:\FINDnFIX\junkxxx\wdmb.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
WDMB.222 57344 07-07-104 03:17 c185b36f9969d3a6d2122ba7cbc02249File: <C:\FINDnFIX\junkxxx\wdmb.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
»»Permissions:
C:\FINDnFIX\junkxxx\wdmb.222 BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
JAY\Jay:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JAY\Jay
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: JAY\Jay

Primary Group: JAY\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x JAY\Jay
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: JAY\Jay

Primary Group: JAY\None

File "C:\FINDnFIX\junkxxx\wdmb.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JAY\Jay
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: JAY\Jay

Primary Group: JAY\None

C:\FINDnFIX\junkxxx\wdmb.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmb.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmb.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmb.222;JAY\Jay:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmb.222;BUILTIN\Users:RrRaRepX


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' F USERProcessHandleQuotaAc 8
00001310:h vk p AppInit_DLLst T H
00001350:E X T = . C O M ; . E X E ; . B A T ; . C M D ; . V B S ; . V B
00001390:E ; . J S ; . J S E ; . W S F ; . W S H P R O C
000013D0:E S S O R _ A R C H I T E C T U R E = x 8 6 P R O C
00001410:E S S O R _ I D E N T I F I E R = x 8 6 F a m i l y 1 5 M
00001450 d e l 2 S t e p p i n g 9 , G e n u i n e I n t e l
00001490: P R O C E S S O R _ L E V E L = 1 5 P R O C
000014D0:E S S O R _ R E V I S I O N = 0 2 0 9 P r o g r a m F
00001510:i l e s = C : \ P r o g r a m F i l e s P R O M
00001550

---------- NEWWIN.TXT
AppInit_DLLst
--------------
--------------
--------------
THEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jay\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jay\LOCALS~1\Temp
USERDOMAIN=JAY
USERNAME=Jay
USERPROFILE=C:\Documents and Settings\Jay
windir=C:\WINDOWS

 

*************************************
Last step(s):

-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will create a zipped copy of the bad file(s) in the same
folder (named as-- junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

(Please include the link in your mail to the board
that assisted you, so any errors in the process could be traced back!)

When done, restart your computer and
Delete and entire 'FINDnFIX' file+Subfolder(s)
From C:\

As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder and a fully updated Ad-Aware!

--------- Setup for AdAware
After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
----------------

Feel free to post follow up hijackthis log when done!

------------
To avoid and prevent immediate reinfection, you need to visit Windows Updates, scan and apply any and all security patches on offer.

 

Looking at the file sizes all these are involved ( 57,344 = 56.00 K )
(all in C:\WINDOWS\SYSTEM32\ )
comjba.dll
comk.dll
kbdhmhk.dll
res.dll
sql.dll
sqlg.dll
But it's likely that AdAware will get them - if not, make sure they get deleted -- but double check the file sizes first - if they don't match - don't delete

 

Ad-aware found few things, all cookies tho. Everything seems back to normal. Here is my new log.

Logfile of HijackThis v1.98.0
Scan saved at 7:35:55 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Mythic\Atlantis\game.dll
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jay\My Documents\My Pictures\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

glad to hear it

After frying the files - what you should probably do is wipe your restore points and make a new one so that it can't come back

Turn off system restore -- reboot -- turn system restore on
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm