CoolWebSearch about:blank and pop-up problem

Discussion in 'adware, spyware & hijack cleaning' started by rolandk, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. rolandk

    rolandk Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    Hello all,

    I am troubled with the same CWS problem I've seen mentioned in this forums: CWS malware hijacking my browser (changing it to another search page) and constantly showing pop-ups for spyware removal tools...

    I tried to follow up on advice given to other users about this issue, but the problem persists.

    I used Ad-Aware and Hijack This to remove spyware/malware but it just reinstalls itself again.

    Here is the Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:51:02, on 2/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    G:\Internet\FoxServ\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    G:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    G:\Program Files\WinZip\WZQKPICK.EXE
    G:\Program Files\SpywareGuard\sgmain.exe
    G:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\webshots.scr
    G:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\msiexec.exe
    P:\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ICQ Lite] G:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] G:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: SpywareGuard.lnk = G:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Webshots.lnk = G:\Program Files\Webshots\Launcher.exe
    O4 - Startup: WinMySQLadmin.lnk.disabled
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = G:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Datik (HKLM)
    O9 - Extra button: ICQ 4.1 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {660B74E4-4E01-43DE-BB13-2BA2D643C05A} (SmartStartCtl Class) - https://internetbanking.argenta.be/multisecure/smartstart/Win32/SmartStartCtl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {94B964F0-45CC-11D4-9F1D-0060085C7782} (Version Class) - https://internetbanking.argenta.be/multisecure/smartstart/Win32/SmartStartSetup.cab
    O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37728.6633217593
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {FA6E0C2F-B2C0-11D7-A5D3-005022E14DE2} (Installer Class) - http://www.sms2date.be:8080/agent//AgentInstaller.cab

    Thanks for your help on this *very annoying* problem!

    Roland
     
  2. rolandk

    rolandk Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    4 days, and still not a single answer o_O

    Here are logs of Ad-Aware and Hijack This, both showing the CWS elements (I constantly remove them, but they reappear every 10 minutes it seems...)


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :dinsdag 6 juli 2004 0:13:20
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R327 05.07.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    6-07-2004 0:13:20 - Scan started. (Custom mode)


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : roland kums@metriweb[2].txt
    Object : C:\Documents and Settings\Roland Kums\Cookies\

    Created on : 4/07/2004 23:42:30
    Last accessed : 5/07/2004 22:13:46
    Last modified : 4/07/2004 23:42:30



    CoolWebSearch Object recognized!
    Type : File
    Data : dc1.dll
    Object : C:\RECYCLER\S-1-5-21-1123561945-1897051121-839522115-1003\
    FileSize : 30 KB
    Created on : 3/07/2004 16:34:12
    Last accessed : 5/07/2004 22:15:06
    Last modified : 3/07/2004 16:34:12



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Deep scanning and examining files (F:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for F:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Deep scanning and examining files (G:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for G:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Deep scanning and examining files (M:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for M:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Deep scanning and examining files (P:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Cydoor Object recognized!
    Type : Folder
    Object : P:\My Documents\Eudora data\EudPriv\Ads\AdCache



    Disk scan result for P:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 3


    Deep scanning and examining files (Q:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for Q:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 3


    Deep scanning and examining files (S:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for S:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 3


    Deep scanning and examining files (X:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040702-175145-212.dll
    Object : X:\HijackThis\
    FileSize : 30 KB
    Created on : 2/07/2004 15:41:26
    Last accessed : 5/07/2004 22:20:36
    Last modified : 2/07/2004 15:41:26



    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040704-164304-299.dll
    Object : X:\HijackThis\
    FileSize : 30 KB
    Created on : 4/07/2004 10:12:42
    Last accessed : 5/07/2004 22:20:36
    Last modified : 4/07/2004 10:12:42



    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040705-173834-654.dll
    Object : X:\HijackThis\
    FileSize : 30 KB
    Created on : 5/07/2004 11:13:28
    Last accessed : 5/07/2004 22:20:36
    Last modified : 5/07/2004 11:13:28



    Disk scan result for X:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 6

    0:20:38 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:07:18:94
    Objects scanned :176316
    Objects identified :6
    Objects ignored :0
    New objects :6


    Logfile of HijackThis v1.97.7
    Scan saved at 14:46:08, on 4/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    G:\Internet\FoxServ\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\nvsvc32.exe
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    G:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    G:\Program Files\WinZip\WZQKPICK.EXE
    G:\Program Files\SpywareGuard\sgmain.exe
    G:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    G:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\WINDOWS\webshots.scr
    C:\Program Files\MSN Messenger\msnmsgr.exe
    G:\Program Files\Qualcomm\Eudora\Eudora.exe
    X:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E0C572EE-DD26-4431-9E00-E8ADCBA04141} - C:\WINDOWS\System32\ffnh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ICQ Lite] G:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] G:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: SpywareGuard.lnk = G:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Webshots.lnk = G:\Program Files\Webshots\Launcher.exe
    O4 - Startup: WinMySQLadmin.lnk.disabled
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = G:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Datik (HKLM)
    O9 - Extra button: ICQ 4.1 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {660B74E4-4E01-43DE-BB13-2BA2D643C05A} (SmartStartCtl Class) - https://internetbanking.argenta.be/multisecure/smartstart/Win32/SmartStartCtl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {94B964F0-45CC-11D4-9F1D-0060085C7782} (Version Class) - https://internetbanking.argenta.be/multisecure/smartstart/Win32/SmartStartSetup.cab
    O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.com/dialer/belgio_ver3.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37728.6633217593
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {FA6E0C2F-B2C0-11D7-A5D3-005022E14DE2} (Installer Class) - http://www.sms2date.be:8080/agent//AgentInstaller.cab
     
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
    Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

    Double Click on the FindnFix.exe you downloaded earlier and it will install into its own folder.
    That folder should be C:\FINDnFIX
    Browse to the folder
    Close all other open windows.
    Run (double click on) the !LOG!.bat file

    Have a coffee

    When it's done
    From the FindnFix folder.
    - Post (paste) the contents of Log.txt in this thread.
    - Attach file Win.txt to the same post. (Please attach, do not paste -- it doesn't format well)
     
  4. rolandk

    rolandk Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    Thanks for your reply!
    Here you go:


    »»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    do 08/07/2004
    12:07am up 0 days, 0:17

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\COMII.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMII.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    COMII.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    comii.dll Thu 17 Jun 2004 23:27:00 A...R 57.344 56,00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57.344 bytes 56,00 K


    C:\WINDOWS\SYSTEM32\
    comii.dll Thu 17 Jun 2004 23:27:00 A...R 57.344 56,00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57.344 bytes 56,00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMII.DLL

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMII.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... COMII.DLL .....57344 17.06.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group EHWAZ\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu 17 Jun 2004 23:26:34 A.... 66.048 64,50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66.048 bytes 64,50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu 17 Jun 2004 23:26:34 A.... 66.048 64,50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66.048 bytes 64,50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-17-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x EHWAZ\Roland Kums
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: EHWAZ\Roland Kums

    Primary Group: EHWAZ\None



    »»»»»»Backups created...»»»»»»
    12:08am up 0 days, 0:18
    do 08/07/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-08-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-08-2004 winkey.reg

    »»Performing string scan....
    00001150: ?
    00001190: vk < f AppInit_
    000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ c o m i i .
    00001210:d l l vk P UDeviceNotSelectedTimeout
    00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
    00001290:ssHandleQuota" vk Spooler2 y e s
    000012D0: p vk =pswapdisk vk
    00001310: ` R TransmissionRetryTimeout p
    00001350: X vk ' 0 USERProcessHandleQuota0 x
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\comii.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\comii.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 63 00 6f 00 6d 00 69 00 | m.3.2.\.c.o.m.i.
    0030 69 00 2e 00 64 00 6c 00 6c 00 00 00 | i...d.l.l...
    
     

    Attached Files:

  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    File identified!
    This will take couple or more steps to fix.
    Be sure to Follow the next set of steps carefully, in
    the exact order specified:

    1.)
    *Get ready to restart your computer.
    - Open the FINDnFIX\Keys1< Subfolder And
    DoubleClick on the "FIX.bat" file.
    -You will get a prompt preparing for auto-restart in 15 seconds.
    -Let it restart!
    --------------------------------------------------------------------------
    2.)
    On restart, Go to Start/Search, and find:
    comii.dll (Should be in System32 folder)
    -When found, select the "comii.dll" file (as it should be visible)
    And use the folder's top menu:
    edit>......move to folder>... (From the search results)
    Scroll and Select the following path as destination:
    -> C:\junkxxx , and move the "comii.dll" into that Subfolder.(C:\junkxxx)
    (you might get a prompt about 'read-only' file -Simply 'ok' it!)
    --------------------------------------------------------------
    3.)
    When done, Open the C:\FINDnFIX folder and
    Run the "RESTORE.bat" file ,
    It should run and generate new log (log1.txt)
    Post it here.
    ===================================================
    *Note:
    Do not change/move around or
    tamper with any of the file(s) folder(s) and path
    included in the 'FINDnFIX' folder.

    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ROLAND~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {E0C572EE-DD26-4431-9E00-E8ADCBA04141} - C:\WINDOWS\System32\ffnh.dll
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB


    ---------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
     
    Last edited: Jul 10, 2004
  6. rolandk

    rolandk Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    Thanks for your help!
    I followed your procedure and it looks all clean now...

    This is the log:


    »»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

    zo 11/07/2004
    3:59pm up 0 days, 0:05

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.

    No matches found.

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»*»»» Scanning for moved file... »»»*»»»

    * result\\?\C:\JUNKXXX\COMII.222


    C:\JUNKXXX\
    comii.222 Thu 17 Jun 2004 23:27:00 A.... 57.344 56,00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57.344 bytes 56,00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\JUNKXXX\COMII.222

    **File C:\JUNKXXX\COMII.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- COMII .222 0000E000 23:27.00 17/06/2004

    --a-- W32i - - - - 57,344 06-17-2004 comii.222
    A C:\junkxxx\comii.222
    File: <C:\junkxxx\comii.222>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    »»Permissions:
    C:\junkxxx\comii.222 BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    EHWAZ\Roland Kums:F
    BUILTIN\Users:R

    C:\junkxxx\comii.222 BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    EHWAZ\Roland Kums:F
    BUILTIN\Users:R

    Directory "C:\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x EHWAZ\Roland Kums
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: EHWAZ\Roland Kums

    Primary Group: EHWAZ\None

    Directory "C:\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: NT AUTHORITY\SYSTEM

    File "C:\junkxxx\comii.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x EHWAZ\Roland Kums
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

    Owner: EHWAZ\Roland Kums

    Primary Group: EHWAZ\None


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu 17 Jun 2004 23:26:34 A.... 66.048 64,50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66.048 bytes 64,50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu 17 Jun 2004 23:26:34 A.... 66.048 64,50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66.048 bytes 64,50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-17-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 ( W vk ' z
    00001210:GDIProcessHandleQuota" 9 0 ! vk X
    00001250:Spooler2 y e s vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' 0 USERProcessHandleQuota0 8
    00001310:h vk f AppInit_DLLs G
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- NEWWIN.TXT
    fùAppInit_DLLsÖæG¸
    --------------
    --------------
    --------------
    DEVICE\HARDDISKVOLUME8
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\NTDLL.DLL
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\KERNEL32.DLL
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\UNICODE.NLS
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\LOCALE.NLS
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\SORTTBLS.NLS
    DEVICE\HARDDISKVOLUME8\FINDNFIX\FILES2\XCACLS.EXE
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\ADVAPI32.DLL
    DEVICE\HARDDISKVOLUME8\WINDOWS\SYSTEM32\RPCRT4.DLL
    \DEVICE\HARDDISKVOLUME8\
    \DEVICE\HARDDISKVOLUME8\FINDNFIX\
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Last step(s):

    -Open the FINDnFIX\Files2< Subfolder:
    Run the -> "ZIPZAP.bat" file.
    It will quickly clean the rest and
    will create a zipped copy of the bad file(s) in the same
    folder (named as-- junkxxx.zip) and open your email client with instructions:
    Simply drag and drop the 'junkxxx.zip' file from
    the folder into the mail message and submit
    to the specified addresses! Thanks!

    (Please include the link in your mail to the board
    that assisted you, so any errors in the process could be traced back!)

    When done, restart your computer and
    Delete and entire 'FINDnFIX' file+Subfolder(s)
    From C:\

    As for the remains, run any and all
    removal tools once again as they should work properly now!
    In particular,
    CWShredder and a fully updated Ad-Aware!

    --------- Setup for AdAware
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
    ----------------

    Feel free to post follow up hijackthis log when done!

    ------------
    To avoid and prevent immediate reinfection, you need to visit Windows Updates, scan and apply any and all security patches on offer.
     
  8. rolandk

    rolandk Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    Thanks. Your help was superb! It looks all clean now.
    Here is one last Hijack This log.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:25:56, on 12/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    G:\Internet\FoxServ\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    G:\Program Files\WinZip\WZQKPICK.EXE
    G:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\webshots.scr
    G:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    G:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\WINDOWS\System32\msiexec.exe
    X:\HijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: SpywareGuard.lnk = G:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Webshots.lnk = G:\Program Files\Webshots\Launcher.exe
    O4 - Startup: WinMySQLadmin.lnk.disabled
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = G:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = G:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Datik (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .ssc: C:\WINDOWS\Downloaded Program Files\Ubizen\SmartStart\NPSmartStart32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {660B74E4-4E01-43DE-BB13-2BA2D643C05A} (SmartStartCtl Class) - https://internetbanking.argenta.be/multisecure/smartstart/Win32/SmartStartCtl.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {94B964F0-45CC-11D4-9F1D-0060085C7782} (Version Class) - https://internetbanking.argenta.be/multisecure/smartstart/Win32/SmartStartSetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37728.6633217593
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {FA6E0C2F-B2C0-11D7-A5D3-005022E14DE2} (Installer Class) - http://www.sms2date.be:8080/agent//AgentInstaller.cab
     
  9. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    looks ok to me :cool:
     
Thread Status:
Not open for further replies.