0

This is intended for anyone who has been plagued by the practically impossible-to-remove d8t.biz spyware. If your browser homepage and searchpage have been hijacked by the address “http://s1di.d8t.biz/index.php?aid=20038 or any other address containing 'd8t.biz' then this is for you. This spyware is highly malicious- even if it is detected by various virus and spyware checkers, it repeatedly regenerates and the problem persists. I’ve had this on my computer for nearly 2 weeks now and only just got rid of it today. Here we go...

1. Download Hijack This from “http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Run it, and get it to fix all references ending in sp.html; this is achieved by ticking the boxes alongside the appropriate lines and then clicking ‘fix checked’.
Also fix the following line…
O2 - BHO: (no name) - {random code} - C:\WINDOWS\System32\[suspicious].dll
N.B. The [suspicious].dll represents the .dll file name that will differ every time. It is the last entry that begins with O2, i.e. the next entry is usually O3…msdxm.ocx

2. Download and install “FINDnFIX.exe from
[http://downloads.subratam.org/FINDnFIX.exe]

Run the "!LOG!.bat" file. This creates a file called “log.txt – do not close this yet.
Scroll down the log- near the top of the page should be the following…
C:\WINDOWS\System32\[suspicious].DLL +++ File read error
C:\WINDOWS\System32\[suspicious].DLL +++ File read error
This .dll is the malicious spyware file that needs to be removed.

3. Open notepad.exe from the Start Menu> Accessories menu
Open the file "MOVEit.bat" which is located in the C:\FINDnFIX\Keys1 Subfolder
The file will open as text file.
Delete the instruction line which begins “REM…
Copy and paste the following line in its place (without the “)…
move %WinDir%\System32\[suspicious].DLL %SystemDrive%\junkxxx\[suspicious].DLL
Replace [suspicious] with the .dll file name discovered in log.txt
Save the file and close notepad.

4. Get ready to restart your computer.
In the same folder, run "FIX.bat"
You will be prompted by popup alert box that your computer will restart in 15 seconds.

5. Once the computer has restarted, open the C:\FINDnFIX\ main folder.
Run the "RESTORE.bat" file. This creates a new file called “log1.txt
There should now be no mention of the suspicious .dll file that was discovered in log.txt

6. Open the FINDnFIX\Files2 subfolder.
Run "ZIPZAP.bat"
This will clean the rest of the bad files and make copies in the same folder as “junkxxx.zip
Your email client will open, along with an email instruction but ignore this and close it.

7. When this is finished, restart your computer.
Delete the entire 'FINDnFIX' folder from C:\
Make sure the C:\junkxxx folder was deleted (it will have been by the clean-up process, but just check anyway)

8. Your computer should now be totally free of the annoying spware!

9. To prevent other such infections, read the following article “Why did I get infected:
http://www.wilderssecurity.com/showthread.php?t=27971
I recommend installing SpywareBlaster & SpywareGuard; both links are on this page. In addition, it is well worth installing a firewall: I recommend ZoneAlarm which is available here: http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp

4
Contributors
4
Replies
5
Views
13 Years
Discussion Span
Last Post by qwerty
0

I followed all your instructions but diagnosis from xsoftyspy is still such as my last post... :sad:

So I launched hjt and attached related log : it seems the DLL in O2 tag disappear but pb still remains....

what do you think??

Again... Notepad.exe seems disappeared....

---------------------

Logfile of HijackThis v1.97.7
Scan saved at 19.38.49, on 07/07/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\system32\acstp\icserv.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\Program Files\Microsoft SQL Server\MSSQL$GCPM\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\RTE\RTEGPRS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
c:\program files\acnu\acnupdatersvc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local>
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [eSupInit] "C:\Program Files\Support.com\bin\eSupCmd.exe" -inituser
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe"
O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlackICE Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38175.0872222222
O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

0

Hello,

While I yeild to Crunchie and other HTJ log experts, I can see that you have a problem with the C:\windows\System32\drivers\etc\hosts file.

Inside hosts, you should have one entry:

127.0.0.1 localhost

(This is for the IP stack local configuring)

Christian

0

Gentlemen,


further details...
I performed ad-ware 6 (trial versione) scanning too...
It identified 10 objects (infected).....

Attached an interesting section form ad-ware log..... I hope it'll be useful..


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Cydoor Object recognized!
Type : File
Data : cd_clint.dll
Category : Data Miner
Comment :
Object : C:\Documents and Settings\firstname.lastname\Local Settings\Temp\
FileSize : 122 KB
FileVersion : 3, 2, 1, 6
ProductVersion : 3, 2, 1, 6
Copyright : Copyright
FileDescription : cd_clint
InternalName : cd_clint
OriginalFilename : cd_clint.dll
ProductName : cd_clint
Created on : 14/04/04 10.30.28
Last accessed : 08/07/04 10.36.56
Last modified : 31/07/03 12.02.00

scam.noadware.net Object recognized!
Type : File
Data : noadware.exe
Category : Malware
Comment :
Object : C:\Program Files\NoAdware\
FileSize : 1568 KB
FileVersion : 2.01
ProductVersion : 2.01
Copyright : Copyright (C) 2003
CompanyName : NoAdware (http://www.noadware.net)
FileDescription : NoAdware Application
InternalName : NoAdware
OriginalFilename : NoAdware.EXE
ProductName : NoAdware Application
Created on : 09/03/04 16.28.32
Last accessed : 08/07/04 09.48.58
Last modified : 09/03/04 16.28.32

iSearch Toolbar Object recognized!
Type : File
Data : a0085893.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP106\
FileSize : 400 KB
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004. All rights reserved.
CompanyName : iDownload.com
FileDescription : iSearch Toolbar
InternalName : iSearch Toolbar
OriginalFilename : toolbar.dll
ProductName : iSearch Toolbar
Created on : 17/03/04 14.56.02
Last accessed : 08/07/04 10.41.56
Last modified : 17/03/04 14.56.02

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 3


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
30 entries scanned.
New objects :0
Objects found so far: 3


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

scam.noadware.net Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\NoAdware


scam.noadware.net Object recognized!
Type : Folder
Category : Malware
Comment :
Object : c:\program files\NoAdware


scam.noadware.net Object recognized!
Type : File
Data : noadware.lnk
Category : Malware
Comment :
Object : c:\documents and settings\firstname.lastname\desktop\

Created on : 07/07/04 09.07.42
Last accessed : 08/07/04 10.54.00
Last modified : 07/07/04 09.07.42

scam.noadware.net Object recognized!
Type : File
Data : logs
Category : Malware
Comment :
Object : c:\program files\noadware\

Created on : 07/07/04 09.07.43
Last accessed : 08/07/04 09.50.22
Last modified : 07/07/04 09.07.43

scam.noadware.net Object recognized!
Type : File
Data : noadware_061904_v201.na
Category : Malware
Comment :
Object : c:\program files\noadware\
FileSize : 343 KB
Created on : 07/07/04 09.07.59
Last accessed : 08/07/04 10.54.00
Last modified : 07/07/04 09.08.01

scam.noadware.net Object recognized!
Type : File
Data : unins000.dat
Category : Malware
Comment :
Object : c:\program files\noadware\
FileSize : 1 KB
Created on : 07/07/04 09.07.42
Last accessed : 08/07/04 10.54.00
Last modified : 07/07/04 09.07.42

scam.noadware.net Object recognized!
Type : File
Data : unins000.exe
Category : Malware
Comment :
Object : c:\program files\noadware\
FileSize : 74 KB
FileVersion : 51.9.0.0
ProductVersion :
Copyright : Copyright (C) 1997-2003 Jordan Russell
CompanyName : Jordan Russell
FileDescription : Inno Setup Uninstaller
Created on : 28/11/03 03.00.00
Last accessed : 08/07/04 10.54.00
Last modified : 28/11/03 03.00.00

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 7
Objects found so far: 10


11.54.00 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00.26.45.309
Objects scanned :159744
Objects identified :10
Objects ignored :0
New objects :10

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.