Help, About:Blank Hijack!

Discussion in 'adware, spyware & hijack cleaning' started by JayJay66, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. JayJay66

    JayJay66 Registered Member

    Joined:
    May 3, 2004
    Posts:
    21
    Homepage keeps reseting to About:Home, and really starting to slow down my IE6. I am getting tons of pop-ups and can't seem to get rid of it. Someone please help.


    Logfile of HijackThis v1.98.0
    Scan saved at 3:52:04 AM, on 7/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\tjzsfou.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jay\My Documents\My Pictures\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {4E8F307C-976F-5ECD-D054-6D550AA7296D} - C:\WINDOWS\System32\vdfoi.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F2A5B51E-1538-4CF3-A119-D9F770D040D2} - C:\WINDOWS\System32\iaeald.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Filter: text/html - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll
    O18 - Filter: text/plain - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll
     
  2. JayJay66

    JayJay66 Registered Member

    Joined:
    May 3, 2004
    Posts:
    21
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

    Double Click on the FindnFix.exe you downloaded earlier and it will install into its own folder.
    That folder should be C:\FINDnFIX
    Browse to the folder
    Close all other open windows.
    Run (double click on) the !LOG!.bat file

    Have a coffee

    When it's done:
    From the FindnFix folder.
    - Post (paste) the contents of Log.txt in this thread.
     
  4. JayJay66

    JayJay66 Registered Member

    Joined:
    May 3, 2004
    Posts:
    21
    Here it is.

    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
    »»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
    Due to errors on various message boards I made some changes.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    If you make a mistake or use the wrong guidance, it is completely
    your responsibility and the helper that assists you.
    If you are not sure about the nature of the file or how
    to proceed, I suggest you research it first before attempting
    to remove any *unknown file on your own.
    *For Helpers and/or users that are not familiar with any of the
    items on the scan results- I recommend using an alternative, once
    you know what to look for!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    --The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
    and is the destination for the file to be moved..
    -*Previous directions will no longer work...
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q837009-Q832894-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Sun 07/11/2004
    4:43pm up 0 days, 20:52

    »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/:cool:»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\WDMB.DLL +++ File read error
    * result\\?\C:\WINDOWS\System32\COMJBA.DLL
    * result\\?\C:\WINDOWS\System32\COMK.DLL
    * result\\?\C:\WINDOWS\System32\KBDHMHK.DLL
    * result\\?\C:\WINDOWS\System32\RES.DLL
    * result\\?\C:\WINDOWS\System32\SQL.DLL
    * result\\?\C:\WINDOWS\System32\SQLG.DLL
    \\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    WDMB.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    wdmb.dll Wed Jul 7 2004 3:17:48a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\WDMB.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... WDMB.DLL .....57344 07.07.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    C:\WINDOWS\SYSTEM32\
    comjba.dll Sat Jul 10 2004 7:44:14p A.... 57,344 56.00 K
    comk.dll Sat Jul 10 2004 10:19:58p A.... 57,344 56.00 K
    kbdhmhk.dll Sat Jul 10 2004 5:00:54p A.... 57,344 56.00 K
    res.dll Sat Jul 10 2004 7:46:02p A.... 57,344 56.00 K
    sql.dll Sat Jul 10 2004 7:47:02p A.... 57,344 56.00 K
    sqlg.dll Sat Jul 10 2004 4:57:26p A.... 57,344 56.00 K
    wdmb.dll Wed Jul 7 2004 3:17:48a A...R 57,344 56.00 K

    7 items found: 7 files, 0 directories.
    Total of file sizes: 401,408 bytes 392.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMJBA.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\COMK.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\KBDHMHK.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RES.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SQL.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SQLG.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\WDMB.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group JAY\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.


    »»»»»»Backups created...»»»»»»
    4:44pm up 0 days, 20:54
    Sun 07/11/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-11-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-11-2004 winkey.reg

    C:\FINDNFIX\
    JUNKXXX Sun Jul 11 2004 5:22:52a .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: ?
    00001190: vk : f AppInit_
    000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ w d m b . d
    00001210:l l t vk P UDeviceNotSelectedTimeout
    00001250: 1 5 @ 9 0 | vk ' zGDIProce
    00001290:ssHandleQuota" vk Spooler2 y e s n
    000012D0: p vk =pswapdisk vk
    00001310: ` R TransmissionRetryTimeout p
    00001350: X vk ' F USERProcessHandleQuotaAcx
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\wdmb.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\wdmb.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 77 00 64 00 6d 00 62 00 | m.3.2.\.w.d.m.b.
    0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...
    
     
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    The worst culprit is C:\WINDOWS\System32\wdmb.dll

    This will take couple or more steps to fix.
    Be sure to Follow the next set of steps carefully, in
    the exact order specified:

    1.) Take the machine off line so it can make no connection to the internet
    *Get ready to restart your computer.
    - Open the FINDnFIX\Keys1< Subfolder And
    DoubleClick on the "FIX.bat" file.
    -You will get a prompt preparing for auto-restart in 15 seconds.
    -Let it restart!
    --------------------------------------------------------------------------
    2.)
    On restart, Go to Start/Search, and find:
    wdmb.dll (Should be in System32 folder)
    -When found, select the "wdmb.dll" file (as it should be visible)
    And use the folder's top menu:
    edit>......move to folder>... (From the search results)
    Scroll and Select the following path as destination:
    -> C:\ -> FINDnFIX... -> Click once to expand, and select the
    ->...junkxxx Subfolder as final destination, and move
    the "wdmb.dll" into that Subfolder.(C:\FINDnFIX\junkxxx)
    (you might get a prompt about 'read-only' file -Simply 'ok' it!)
    --------------------------------------------------------------


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    3) Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jay\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {4E8F307C-976F-5ECD-D054-6D550AA7296D} - C:\WINDOWS\System32\vdfoi.dll
    O2 - BHO: (no name) - {F2A5B51E-1538-4CF3-A119-D9F770D040D2} - C:\WINDOWS\System32\iaeald.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
    O18 - Filter: text/html - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll
    O18 - Filter: text/plain - {834425A8-E99D-40E3-9CCF-BCC035695B03} - C:\WINDOWS\System32\iaeald.dll


    Run CWShredder if you have it

    Reboot normally

    4.)
    When done, Open the C:\FINDnFIX folder and
    Run the "RESTORE.bat" file ,
    It should run and generate new log (log1.txt)
    Put the machine back on line if you have only the one.
    Post it here so I can check - then we'll move on to the next steps
    ===================================================
    *Note:
    Do not change/move around or
    tamper with any of the file(s) folder(s) and path
    included in the 'FINDnFIX' folder.
     
  6. JayJay66

    JayJay66 Registered Member

    Joined:
    May 3, 2004
    Posts:
    21
    ok here is the "RESTORE.bat" file



    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Sun 07/11/2004
    6:40pm up 0 days, 0:00

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q837009-Q832894-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»
    * result\\?\C:\WINDOWS\System32\COMJBA.DLL
    * result\\?\C:\WINDOWS\System32\COMK.DLL
    * result\\?\C:\WINDOWS\System32\KBDHMHK.DLL
    * result\\?\C:\WINDOWS\System32\RES.DLL
    * result\\?\C:\WINDOWS\System32\SQL.DLL
    * result\\?\C:\WINDOWS\System32\SQLG.DLL

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.
    Unknown/hidden files...

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»»»»» Search by size...


    C:\WINDOWS\SYSTEM32\
    comjba.dll Sat Jul 10 2004 7:44:14p A.... 57,344 56.00 K
    comk.dll Sat Jul 10 2004 10:19:58p A.... 57,344 56.00 K
    kbdhmhk.dll Sat Jul 10 2004 5:00:54p A.... 57,344 56.00 K
    res.dll Sat Jul 10 2004 7:46:02p A.... 57,344 56.00 K
    sql.dll Sat Jul 10 2004 7:47:02p A.... 57,344 56.00 K
    sqlg.dll Sat Jul 10 2004 4:57:26p A.... 57,344 56.00 K

    6 items found: 6 files, 0 directories.
    Total of file sizes: 344,064 bytes 336.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMJBA.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\COMK.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\KBDHMHK.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RES.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SQL.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SQLG.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»*»»» Scanning for moved file... »»»*»»»

    * result\\?\C:\FINDnFIX\junkxxx\WDMB.222


    C:\FINDNFIX\JUNKXXX\
    wdmb.222 Wed Jul 7 2004 3:17:48a A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\FINDNFIX\JUNKXXX\WDMB.222

    **File C:\FINDNFIX\JUNKXXX\WDMB.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- WDMB .222 0000E000 03:17.48 07/07/2004

    --a-- W32i - - - - 57,344 07-07-2004 wdmb.222
    A C:\FINDnFIX\junkxxx\wdmb.222

    CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
    MD5 Message Digest Algorithm by RSA Data Security, Inc.

    File name Size Date Time MD5 Hash
    ________________________________________________________________________
    WDMB.222 57344 07-07-104 03:17 c185b36f9969d3a6d2122ba7cbc02249File: <C:\FINDnFIX\junkxxx\wdmb.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
    »»Permissions:
    C:\FINDnFIX\junkxxx\wdmb.222 BUILTIN\Administrators:F
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    JAY\Jay:F
    BUILTIN\Users:R

    Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x JAY\Jay
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: JAY\Jay

    Primary Group: JAY\None

    Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x JAY\Jay
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: JAY\Jay

    Primary Group: JAY\None

    File "C:\FINDnFIX\junkxxx\wdmb.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x JAY\Jay
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

    Owner: JAY\Jay

    Primary Group: JAY\None

    C:\FINDnFIX\junkxxx\wdmb.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wdmb.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wdmb.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wdmb.222;JAY\Jay:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wdmb.222;BUILTIN\Users:RrRaRepX


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 @ vk ' z
    00001210:GDIProcessHandleQuota" 9 0 | vk X
    00001250:Spooler2 y e s n vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' F USERProcessHandleQuotaAc 8
    00001310:h vk p AppInit_DLLst T H
    00001350:E X T = . C O M ; . E X E ; . B A T ; . C M D ; . V B S ; . V B
    00001390:E ; . J S ; . J S E ; . W S F ; . W S H P R O C
    000013D0:E S S O R _ A R C H I T E C T U R E = x 8 6 P R O C
    00001410:E S S O R _ I D E N T I F I E R = x 8 6 F a m i l y 1 5 M
    00001450:eek: d e l 2 S t e p p i n g 9 , G e n u i n e I n t e l
    00001490: P R O C E S S O R _ L E V E L = 1 5 P R O C
    000014D0:E S S O R _ R E V I S I O N = 0 2 0 9 P r o g r a m F
    00001510:i l e s = C : \ P r o g r a m F i l e s P R O M
    00001550:p

    ---------- NEWWIN.TXT
    AppInit_DLLst
    --------------
    --------------
    --------------
    THEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0209
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Jay\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Jay\LOCALS~1\Temp
    USERDOMAIN=JAY
    USERNAME=Jay
    USERPROFILE=C:\Documents and Settings\Jay
    windir=C:\WINDOWS
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    *************************************
    Last step(s):

    -Open the FINDnFIX\Files2< Subfolder:
    Run the -> "ZIPZAP.bat" file.
    It will quickly clean the rest and
    will create a zipped copy of the bad file(s) in the same
    folder (named as-- junkxxx.zip) and open your email client with instructions:
    Simply drag and drop the 'junkxxx.zip' file from
    the folder into the mail message and submit
    to the specified addresses! Thanks!

    (Please include the link in your mail to the board
    that assisted you, so any errors in the process could be traced back!)

    When done, restart your computer and
    Delete and entire 'FINDnFIX' file+Subfolder(s)
    From C:\

    As for the remains, run any and all
    removal tools once again as they should work properly now!
    In particular,
    CWShredder and a fully updated Ad-Aware!

    --------- Setup for AdAware
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
    ----------------

    Feel free to post follow up hijackthis log when done!

    ------------
    To avoid and prevent immediate reinfection, you need to visit Windows Updates, scan and apply any and all security patches on offer.
     
  8. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Looking at the file sizes all these are involved ( 57,344 = 56.00 K )
    (all in C:\WINDOWS\SYSTEM32\ )
    comjba.dll
    comk.dll
    kbdhmhk.dll
    res.dll
    sql.dll
    sqlg.dll

    But it's likely that AdAware will get them - if not, make sure they get deleted -- but double check the file sizes first - if they don't match - don't delete
     
  9. JayJay66

    JayJay66 Registered Member

    Joined:
    May 3, 2004
    Posts:
    21
    Ad-aware found few things, all cookies tho. Everything seems back to normal. Here is my new log.

    Logfile of HijackThis v1.98.0
    Scan saved at 7:35:55 PM, on 7/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Mythic\Atlantis\game.dll
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jay\My Documents\My Pictures\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  10. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
Thread Status:
Not open for further replies.