0

Hi,
I've been fighting this about:blank searchx since Sunday:evil: . Scanned with Ad-aware, Spybot, CWShredder and pulled the rest of the creepy stuff I could recognize with HJT. Everything seems clear and then it's back after a while. I saw Caperjack's post in a similar thread, so I'm posting a log from beta-fix along with my most recent hijack log. Can anybody give me another clue?

Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 5:30:14 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\wpabaln.exe
C:\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINNT\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38160.8547916667



beta-fix log
--------------------------------------------


Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.


Wed 06/23/2004
5:56pm  up 0 days,  0:25
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!


»»Locked or 'Suspect' file(s) found...



C:\WINNT\System32\CTLFO.DLL +++ File read error\\?\C:\WINNT\System32\CTLFO.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\Beta-Fix\LIST.TXT
CTLFO.DLL    Can't Open!


****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
C:\WINNT\SYSTEM32\
ctlfo.dll      Thu Jun 17 2004   4:18:34p  A...R         57,344    56.00 K
1 item found:  1 file, 0 directories.
Total of file sizes:  57,344 bytes     56.00 K
No matches found.
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINNT\SYSTEM32\CTLFO.DLL


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)


Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448


»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read           BUILTIN\Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group CHRISTOPHER\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type    Flags    Inh. Mask     Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow   00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow   0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow   00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow   0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow   00000010 t--- 001F01FF ---- DSPO rw+x CHRISTOPHER\Owner
Allow   0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow   00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow   0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow   00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow   00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: CHRISTOPHER\Owner
Primary Group: CHRISTOPHER\None



»»»»»»Backups created...»»»»»»
5:57pm  up 0 days,  0:26
Wed 06/23/2004


A          C:\Beta-Fix\winBackup.hiv
--a--    -   -   -               -   -      8,192 06-23-2004 winbackup.hiv
A          C:\Beta-Fix\keys1\winkey.reg
--a--    -   -   -               -   -        287 06-23-2004 winkey.reg


»»Performing  16bit string scan....
---------- WIN.TXT
fùAppInit_DLLsÖæGÀÿÿÿC
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
u0ZSY


**File C:\Beta-Fix\WIN.TXT
À…_  é¾ñÿÿ‰µÄýÿÿ‹F(;ÄΠ ÿ%m3€ öØÀ@ÿÿÿ÷!ȉ]ô‰EäE¬ÿ%©7€ ÿ~€ ‰…üÿÿPè¹   Pÿ%Q5€ Vjÿuüÿ€ À…¤êÿÿéñ  AƒÀû mž

Edited by Nick Evan: Fixed formatting

2
Contributors
5
Replies
6
Views
13 Years
Discussion Span
Last Post by bentkey
0

Also, if I try to run the online virus scan from Trend Micro, IE crashes before the scan can start. Also, I ran the Windows file protection check, and it found nothing.

1

I'm just curious Alc6379, what was it about my post that made you think I had not already done my homework?

So, on to my problem, or rather the solution to my problem. I will post here so others may benefit. Non of the automatic removal tools permantly got rid of CWS about blank. CWShredder found it cleaned it and it would come back. Norton Anti Virus found nothing. Ad-Aware would find and clean it, but it would come back, same with Spybot S&D. I tried the online checkup from TrendMicro, but it wouldn't run. In Caperjacks post to JohnCT with a similar problem he advised him to get beta-fix and post the log. Unfortunately, he hadn't said what to do with it until today. So, I did the same and it found a different file. Mine was ctlfo.dll . Apparantly a new variant. After removal, Trendmicro could run and did detect the file, "I put a copy in a harmless place just to see" So, as vicious as these things have become, I'm not sure if the high level tools are going to be much help in the future. I know I can't afford to spend this much time every time a customer get infected.

Thanks Caperjack

Votes + Comments
I judged you completely wrong, man! --alc6379
0

I'm just curious Alc6379, what was it about my post that made you think I had not already done my homework?

My apologies. I must have overlooked the statement preceding your log(s). I'm so used to members whose first post is, "Here's my HJT log-- FIX IT... FIX IT NOW! kthxbye!" Obviously, you're not one of those members, and I hope you'll accept my apologies.

So, on to my problem, or rather the solution to my problem. I will post here so others may benefit. Non of the automatic removal tools permantly got rid of CWS about blank. CWShredder found it cleaned it and it would come back. Norton Anti Virus found nothing. Ad-Aware would find and clean it, but it would come back, same with Spybot S&D. I tried the online checkup from TrendMicro, but it wouldn't run. In Caperjacks post to JohnCT with a similar problem he advised him to get beta-fix and post the log. Unfortunately, he hadn't said what to do with it until today. So, I did the same and it found a different file. Mine was ctlfo.dll . Apparantly a new variant. After removal, Trendmicro could run and did detect the file, "I put a copy in a harmless place just to see" So, as vicious as these things have become, I'm not sure if the high level tools are going to be much help in the future. I know I can't afford to spend this much time every time a customer get infected.

Thanks Caperjack

Going further than an apology, now to praise. You're exactly the type of member we're looking to keep around here. You did your homework/research, continued to research even after posting your question, and then you contributed back to the community. AWESOME!

now... where's that reputation button...

Again, please accept my apologies. :)

0

:D No apologies needed, I'm sure it gets mind numbing looking at one hjt log after another. I have only the best of feelings at this site.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.