0

Hi, hope you guys can help me. Booted into Safe mode(XP w/ SP1), ran cwshredder, then ran hijackthis and this is the log file it created.

Logfile of HijackThis v1.97.7
Scan saved at 3:11:35 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\jbb\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5196064815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

5
Contributors
12
Replies
13
Views
13 Years
Discussion Span
Last Post by crunchie
0

Instrucitons follow:

=== Get File Info ===
Download Beta-Fix.exe from here:
Beta-Fix
Link isn't working for some reason Right click and copy shortcut and past it into you address bar and hit enter to activate the download .

Double Click on the Beta-Fix.exe and it will install the batch file in its own folder in the same location as the file you downloaded.

Open the Beta-Fix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL Windows except Find-All.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the Beta-Fix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

0

i got this tip from thread5531

http://daniweb.com/techtalkforums/thread5531.html

it had an added step of downloading TheKillbox and looking for a hidden filename. perhaps this will help you. (from 6/18/04 5:17 pm)
when i tried to look in appinit_dlls, i just had 0 0 0 0, so i didn't know what to do with the killbox program. better luck to you.

0

About:blank homepage is back this morning. Here's the log file. Attached is the win.txt file. Thanks for any help.


Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Wed 06/23/2004
8:52am up 0 days, 0:10
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\WINMIA.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINMIA.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\Beta-Fix\LIST.TXT
WINMIA.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\WINDOWS\SYSTEM32\
winmia.dll Fri Jun 18 2004 3:25:58p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

C:\WINDOWS\SYSTEM32\
msexcl35.dll Thu Sep 9 1999 10:06:38p A.S.. 252,688 246.77 K
msjet35.dll Tue Sep 28 1999 9:42:48p A.S.. 1,050,896 1.00 M
msjint35.dll Thu Jun 10 1999 9:34:04a A.S.. 123,664 120.77 K
msjter35.dll Thu Jun 10 1999 9:34:04a A.S.. 24,848 24.27 K
msltus35.dll Thu Sep 9 1999 10:06:38p A.S.. 168,720 164.77 K
mspdox35.dll Mon Jun 7 1999 6:59:34p A.S.. 250,128 244.27 K
msrd2x35.dll Sun Apr 25 1999 5:00:00p A.S.. 252,176 246.27 K
msrepl35.dll Wed Aug 25 1999 2:57:26p A.S.. 415,504 405.77 K
mstext35.dll Thu Sep 30 1999 7:21:24p A.S.. 166,672 162.77 K
msxbse35.dll Sun Apr 25 1999 5:00:00p A.S.. 287,504 280.77 K
vbar332.dll Sun Apr 25 1999 5:00:00p A.S.. 368,912 360.27 K

11 items found: 11 files, 0 directories.
Total of file sizes: 3,361,712 bytes 3.20 M
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WINMIA.DLL

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group BEIDLER\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BEIDLER\JBB
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: BEIDLER\JBB

Primary Group: BEIDLER\None

»»»»»»Backups created...»»»»»»
8:53am up 0 days, 0:11
Wed 06/23/2004

A C:\Beta-Fix\winBackup.hiv
--a-- - - - - - 8,192 06-23-2004 winbackup.hiv
A C:\Beta-Fix\keys1\winkey.reg
--a-- - - - - - 287 06-23-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
fùAppInit_DLLsÖæG¸ÿÿÿC
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuota,

**File C:\Beta-Fix\WIN.TXT

Attachments
0

Also, about the same time I got infected, I seem to have lost my notepad program. Is this somehow related?

0

Here's my latest HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:59 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Novell\GroupWise\Notify.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Documents and Settings\jbb\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C80DC90-294F-40A0-9BC7-43401890F9C7} - C:\WINDOWS\System32\fgcdb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.5196064815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

If you're not getting any help, try and do some research on your own while waiting. When I'm interpreting an HJT log, I take the last bit of the entry listed, and I put it into Google. For instance, take

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\jbb\LOCALS~1\Temp\sp.html

I did a Google search for "sp.html"+"spyware". If you sift enough through those links, you will find that sp.html isn't something you want, and should be removed. You can do the same thing with every other entry, too.

If you do that, you'll have fixed it yourself. Then, if you get familiar enough with what you're seeing, maybe you can help out others here!

0

Any help at all please? Nothing I do seems to work.

Sorry for not getting back earlier I work allday at a real job .

Step 2==== Delete Hidden DLL ===
Open the Beta-Fix folder.
Open the keys1 folder.
RightClick on the "MOVEit.bat" file, select--> edit.
Copy and paste this line into the batch file, replacing the line there.

move %WinDir%\System32\WINNC.DLL %SystemDrive%\junkxxx\WINMIA.DLL

Save the file and close.

Get ready to restart!
Still in the keys1 folder, double click on FIX.bat.
You will get an alert of ~20 secs before reboot.
Allow it to reboot!

On restart, Open the Beta-Fix folder.
DoubleClick on RESTORE.bat.
When it is finished, open the Beta-Fix folder.
Post the contents of Log1.txt in this thread.


=== Batch Clean Up ===
Open the Beta-Fix folder.
Open the Files2 folder.
Double Click on the ZIPZAP.bat.

It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to your log file in the email.

When done, please delete the entire Beta-Fix folder.

=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

And empty the contents of:://C:\DOCUME~1\jbb\LOCALS~1 \Temp

And ,C:\WINDOWS\TEMP


Last:
Post a new HiJackThis log in this thread.

0

caperjack, thanks for your time, but I think there's one small glitch. As you'll read in my 3rd post, I seem to have lost my notepad program about the same time I got infected. Not sure how this happened, but I've used it many times in the past. The MOVEit.bat file is blank and when I run the !LOG!.bat file it finishes and then can't find notepad to save the text file. Any ideas?

0

Two things i found people are trying for the notepad problem .
Another thing worth checking.
I had a trojan last week that renamed my notepad.
Do a search on your system for notpad.exe or look in your systems folder.
If you do find it,you have a trojan.
The original notepad is now called notpad.exe and the trojan notepad.exe.
when it enters the system it renames itself as notepad.exe and renames the original microsoft file to notpad.exe thus rendering it useless.
You need to delete notepad.exe then rename notpad.exe back to notepad.exe.

and this one
Try this . download notepad .exe , and place it in both these locations:
C:\WINDOWS and C:\WINDOWS\System32


http://www.computing.net/windowsxp/wwwboard/forum/106060.html

0

Thanks. Well I finally fixed everything. Adware away was the only thing that finally worked. I also fixed notepad.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.