Pieter, need just a little help.

Discussion in 'adware, spyware & hijack cleaning' started by Zen, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. Zen

    Zen Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Logfile of HijackThis v1.97.7
    Scan saved at 9:46:29 AM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Forrest\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.4376851852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DB64074F-2C2B-4793-AB2B-B67EF6C8F221}: NameServer = 68.82.0.5,68.82.0.6
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EED42966-7D8D-45C0-AB7C-D52193D996D3}: NameServer = 68.82.0.5,68.82.0.6

    I've run ad-aware prior to running hijack this.
    I have a descent understanding of how this about blank thing works. I just need help finding the hidden offending file. find-all is no longer available and the replacement isn't working for me. Could you help?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Copy the contents of the bold text to Notepad.
    Name the file Appinit.bat
    Save as type *All Files*
    Save on the Desktop.

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt

    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Post the content please.

    Regards,

    Pieter
     
  3. Zen

    Zen Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    I've attached the file Pieter. And thank you very much for your attention.
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Did you see it?

    AppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s b . d l l

    So your hidden file is C:\Windows\System32\msb.dll

    Good luck and holler if you need help.

    Regards,

    Pieter
     
  5. Zen

    Zen Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    I didn't even look, I thought it was all jibberrish. Next time I'll look!

    My next step would be rc correct? Any special commands other than del c:\windows\system32 msb.dll?

    And if you have time, how exactly did your prog find that?

    You are a great guy. I'd like to make some sort of contribution. Suggestions?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That command reads a part of the registry and turns it into a text file.

    Some of the jibberish is put there on purpose so you won't find out that that dll is starting from the AppInit_DLLs key.

    The Recovery console is the surest way to get rid of it.
    There is a program called TheKillbox that will often work or any other program that allows you to use MoveFileEx():
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;140570

    Regards,

    Pieter
     
  7. Zen

    Zen Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    So far so good. Deleted the file from rc.

    Not interested in contributions Pieter?
    You deserve something for your efforts. Payin you enough?
     
  8. Zen

    Zen Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    also, I just followed that path in the registry and the entry still points to the msb.dll offender. Leave that alone?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    It is visible now so you can delete the value, not the registry key.

    Follow the link my signature. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.