12 replies to this topic

[Swede]

Hi

I have problems with CWS.Searchx - About:Blank which keeps coming back and trying to change my start page to About:Blank.

I use SpySweeper and that alerts me everytime it happens and change it back to the correct start page. (when I start the computer I (very often) VERY briefly see the about:blank start page just a fragment of a second before my correct start page appears)

I also use CWShredder that finds and removes CWS.Searchx but nothing else.

I appreciate any help that I can get. Hijack logfile below.

Regards and tusen tack from Sweden!

/Jonas


Logfile of HijackThis v1.97.7
Scan saved at 11:40:29, on 2004-07-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program\Microsoft IntelliType Pro\type32.exe
C:\Program\Microsoft IntelliPoint\point32.exe
C:\Program\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program\iD2\CSP\iD2CertMover.exe
C:\WINDOWS\system32\id2scaps.exe
C:\Program\Delade filer\Real\Update_OB\rnathchk.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED635884-37A3-4D68-BA2C-50DBCD50F9A3} - C:\WINDOWS\System32\elofii.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

[Daemon]

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

[Swede]

From Registrar Lite: C:\WINDOWS\System32\winoek.dll From FINDnFIX: »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» Microsoft Windows XP [Version 5.1.2600] »»»IE build and last SP(s) 6.0.2800.1106 SP1-Q837009-Q832894-Q831167 Filsystemet „r av typen NTFS. C: „r inte skadad. 2004-07-03 3:46pm up 0 days, 4:07 »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»» Scanning for file(s)... »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» »»»»» (*1*) »»»»» ......... »»Locked or 'Suspect' file(s) found... C:\WINDOWS\System32\WINOEK.DLL +++ File read error \\?\C:\WINDOWS\System32\WINOEK.DLL +++ File read error »»»»» (*2*) »»»»»........ **File C:\FINDnFIX\LIST.TXT WINOEK.DLL Can't Open! »»»»» (*3*) »»»»»........ C:\WINDOWS\SYSTEM32\ winoek.dll Wed 2004-04-28 22.37.20 A...R 57 344 56,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 57 344 bytes 56,00 K unknown/hidden files... No matches found. »»»»» (*4*) »»»»»......... Sniffing.......... Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Sniffed -> C:\WINDOWS\SYSTEM32\WINOEK.DLL »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» »»Size of Windows key: (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448 »»Dumping Values........ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***) DeviceNotSelectedTimeout = 15 GDIProcessHandleQuota = REG_DWORD 0x00002710 Spooler = yes swapdisk = TransmissionRetryTimeout = 90 USERProcessHandleQuota = REG_DWORD 0x00002710 »»Security settings for 'Windows' key: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Anv„ndare (ID-IO) ALLOW Read BUILTIN\Anv„ndare (ID-NI) ALLOW Full access BUILTIN\Administrat”rer (ID-IO) ALLOW Full access BUILTIN\Administrat”rer (ID-NI) ALLOW Full access NT INSTANS\SYSTEM (ID-IO) ALLOW Full access NT INSTANS\SYSTEM (ID-IO) ALLOW Full access SKAPARE ŽGARE Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Anv„ndare Full access BUILTIN\Administrat”rer Full access NT INSTANS\SYSTEM »»Member of...: (Admin logon required!) User is a member of group SIF1\Ingen. User is a member of group \Alla. User is a member of group BUILTIN\Administratörer. User is a member of group BUILTIN\Användare. User is a member of group \LOKAL. User is a member of group NT INSTANS\INTERAKTIV. User is a member of group NT INSTANS\Autentiserade användare. »» Service search:(different variant) '"Network Security Service","__NS_Service_3"... [SC] GetServiceKeyName FAILED 1060: Angiven tj„nst „r inte installerad. [SC] GetServiceDisplayName FAILED 1060: Angiven tj„nst „r inte installerad. »»Notepad check.... C:\WINDOWS\ notepad.exe Fri 2001-09-07 14.00.00 A.... 66 560 65,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 66 560 bytes 65,00 K C:\WINDOWS\SYSTEM32\ notepad.exe Fri 2001-09-07 14.00.00 A.... 66 560 65,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 66 560 bytes 65,00 K C:\WINDOWS\SYSTEM32\DLLCACHE\ notepad.exe Fri 2001-09-07 14.00.00 A.... 66 560 65,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 66 560 bytes 65,00 K --a-- W32i APP SVE 5.1.2600.0 shp 66,560 09-07-2001 notepad.exe Language 0x041d (Svenska) CharSet 0x04b0 Unicode OleSelfRegister Disabled CompanyName Microsoft Corporation FileDescription Anteckningar InternalName Notepad OriginalFilenam NOTEPAD.EXE ProductName Operativsystemet Microsoft® Windows® ProductVersion 5.1.2600.0 FileVersion 5.1.2600.0 (xpclient.010817-1148) LegalCopyright © Microsoft Corporation. Med ensamrätt. VS_FIXEDFILEINFO: Signature: feef04bd Struc Ver: 00010000 FileVer: 00050001:0a280000 (5.1:2600.0) ProdVer: 00050001:0a280000 (5.1:2600.0) FlagMask: 0000003f Flags: 00000000 OS: 00040004 NT Win32 FileType: 00000001 App SubType: 00000000 FileDate: 00000000:00000000 »»Dir 'junkxxx' was created with the following permissions... (FAT32=NA) Directory "C:\junkxxx" Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administratörer Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT INSTANS\SYSTEM Allow 00000000 t--- 001F01FF ---- DSPO rw+x SIF1\Ägaren Allow 0000000B -co- 10000000 ---A ---- ---- \SKAPARE ÄGARE Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Användare Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Användare Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Användare Owner: SIF1\Ägaren Primary Group: SIF1\Ingen »»»»»»Backups created...»»»»»» 3:47pm up 0 days, 4:08 2004-07-03 A C:\FINDnFIX\winBack.hiv --a-- - - - - - 8,192 07-03-2004 winback.hiv A C:\FINDnFIX\keys1\winkey.reg --a-- - - - - - 287 07-03-2004 winkey.reg »»Performing 16bit string scan.... 00001150: vk > f AppInit_DLLs G 00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ w i n o e k . d l l 000011D0: h vk UDeviceNotSelectedTimeout 00001210: 1 5 ( W 9 0 vk ' zGDIProce 00001250:ssHandleQuota" vk Spooler2 y e s 0 00001290: h 0 ` vk =pswapdisk vk 000012D0: R TransmissionRetryTimeout h 0 ` 00001310: vk ' USERProcessHandleQuota j 00001350: 00001390: 000013D0: 00001410: 00001450: 00001490: 000014D0: 00001510: 00001550: ---------- WIN.TXT fùAppInit_DLLsÖ�æG¸ÿÿÿC REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 Windows AppInit UDeviceNotSelectedTimeout zGDIProcessHandleQuota" Spooler2 =pswapdisk TransmissionRetryTimeout USERProcessHandleQuota **File C:\FINDnFIX\WIN.TXT regf




Pugf 

[Daemon]

Open the FINDnFIX folder and then open the keys1 folder. Right-click on the MOVEit.bat file and select 'edit'. That will open the file as an empty text file - copy and paste this line into the blank file:

move %WinDir%\System32\WINOEK.DLL %SystemDrive%\junkxxx\WINOEK.DLL

Save the file and close. The next step will cause a restart. Still in the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.



Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, skip that step and proceed this way instead. In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the WINOEK.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.

[Swede]

From log1.txt: »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» 2004-07-03 4:30pm up 0 days, 0:01 Microsoft Windows XP [Version 5.1.2600] »»»IE build and last SP(s) 6.0.2800.1106 SP1-Q837009-Q832894-Q831167 Filsystemet „r av typen NTFS. C: „r inte skadad. »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»» Scanning for file(s) in System32... »»»»»»» (1) »»»»»»» »»»»»»» (2) »»»»»»» **File C:\FINDnFIX\LIST.TXT »»»»»»» (3) »»»»»»» No matches found. No matches found. »»»»»»» (4) »»»»»»» Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. »»»*»»» Scanning for moved file... »»»*»»» \\?\C:\junkxxx\WINOEK.222 +++ File read error C:\junkxxx\WINOEK.222 +++ File read error C:\JUNKXXX\ winoek.222 Wed 2004-04-28 22.37.20 A...R 57 344 56,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 57 344 bytes 56,00 K Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Sniffed -> C:\JUNKXXX\WINOEK.222 fgrep: can't open input C:\JUNKXXX\WINOEK.222 A----R WINOEK .222 0000E000 22:37.20 28/04/2004 move %WinDir%\System32\WINOEK.DLL %SystemDrive%\junkxxx\WINOEK.DLL -ra-- - - - - - 57,344 04-28-2004 winoek.222 A R C:\junkxxx\WINOEK.222 File: <C:\junkxxx\WINOEK.222> »»Permissions: C:\junkxxx\WINOEK.222 Alla:(s„rskild beh”righet:) SYNCHRONIZE FILE_EXECUTE Directory "C:\junkxxx\." Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administratörer Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT INSTANS\SYSTEM Allow 00000000 t--- 001F01FF ---- DSPO rw+x SIF1\Ägaren Allow 0000000B -co- 10000000 ---A ---- ---- \SKAPARE ÄGARE Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Användare Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Användare Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Användare Owner: SIF1\Ägaren Primary Group: SIF1\Ingen Directory "C:\junkxxx\.." Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administratörer Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT INSTANS\SYSTEM Allow 0000000B -co- 10000000 ---A ---- ---- \SKAPARE ÄGARE Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Användare Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Användare Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Användare Allow 00000000 t--- 001200A9 ---- -S-- r--x \Alla Owner: BUILTIN\Administratörer Primary Group: NT INSTANS\SYSTEM File "C:\junkxxx\WINOEK.222" Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000000 t--- 00100020 ---- ---- ---x \Alla Owner: SIF1\Ägaren Primary Group: SIF1\Ingen »»Size of Windows key: (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450 »»Dumping Values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows DeviceNotSelectedTimeout = 15 GDIProcessHandleQuota = REG_DWORD 0x00002710 Spooler = yes swapdisk = TransmissionRetryTimeout = 90 USERProcessHandleQuota = REG_DWORD 0x00002710 AppInit_DLLs = »»Security settings for 'Windows' key: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Anv„ndare (ID-IO) ALLOW Read BUILTIN\Anv„ndare (ID-NI) ALLOW Full access BUILTIN\Administrat”rer (ID-IO) ALLOW Full access BUILTIN\Administrat”rer (ID-NI) ALLOW Full access NT INSTANS\SYSTEM (ID-IO) ALLOW Full access NT INSTANS\SYSTEM (ID-IO) ALLOW Full access SKAPARE ŽGARE Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Anv„ndare Full access BUILTIN\Administrat”rer Full access NT INSTANS\SYSTEM »»Notepad check.... C:\WINDOWS\ notepad.exe Fri 2001-09-07 14.00.00 A.... 66 560 65,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 66 560 bytes 65,00 K C:\WINDOWS\SYSTEM32\ notepad.exe Fri 2001-09-07 14.00.00 A.... 66 560 65,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 66 560 bytes 65,00 K C:\WINDOWS\SYSTEM32\DLLCACHE\ notepad.exe Fri 2001-09-07 14.00.00 A.... 66 560 65,00 K 1 item found: 1 file, 0 directories. Total of file sizes: 66 560 bytes 65,00 K --a-- W32i APP SVE 5.1.2600.0 shp 66,560 09-07-2001 notepad.exe Language 0x041d (Svenska) CharSet 0x04b0 Unicode OleSelfRegister Disabled CompanyName Microsoft Corporation FileDescription Anteckningar InternalName Notepad OriginalFilenam NOTEPAD.EXE ProductName Operativsystemet Microsoft® Windows® ProductVersion 5.1.2600.0 FileVersion 5.1.2600.0 (xpclient.010817-1148) LegalCopyright © Microsoft Corporation. Med ensamrätt. VS_FIXEDFILEINFO: Signature: feef04bd Struc Ver: 00010000 FileVer: 00050001:0a280000 (5.1:2600.0) ProdVer: 00050001:0a280000 (5.1:2600.0) FlagMask: 0000003f Flags: 00000000 OS: 00040004 NT Win32 FileType: 00000001 App SubType: 00000000 FileDate: 00000000:00000000 00001150: vk UDeviceNotSelecte 00001190:dTimeout 1 5 ( W h vk ' zGDIProce 000011D0:ssHandleQuota" 9 0 vk Spooler2 00001210: y e s 0 vk =pswapdisk h 00001250: X vk R TransmissionRetryTimeout vk 00001290: ' USERProcessHandleQuota j h X 000012D0: vk S AppInit_DLLsm 3 00001310: 00001350: 00001390: 000013D0: m s c o r e e . d l l 00001410: 00001450: 00001490: 000014D0: 00001510: 00001550: ---------- WIN.TXT fùAppInit_DLLsÖ�æG¸ÿÿÿC ---------- NEWWIN.TXT AppInit_DLLsm **File C:\FINDnFIX\NEWWIN.TXT aÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 > ¹G±  Windows÷ÿÿÿskõwx x
Ô
€¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 ÿÿÿÿÐÿÿÿvk  ˜


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  Ø(ÍW h
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  Ð  àÿÿÿvk  

°ºSpooler2ðÿÿÿy e s •0´Ñàÿÿÿvk  €

=pswapdisk h
°
ð
 X Ðÿÿÿvk  à


R¿TransmissionRetryTimeoutÐÿÿÿvk  €' 
ÊUSERProcessHandleQuotañjàÿÿÿh
°
ð
 X ˆ Ø Øÿÿÿvk  €

S AppInit_DLLsm 3 m s c o r e e . d l l ×çw C : \ W I N D O W S \ S y s t e m 3 2 \ n t d l l . d l l

ar, Read-only and Hidden set $ /D+ find Directories only /D- files only, no Direct **File C:\FINDnFIX\NEWWIN.TXT 000012F0: 01 00 00 00 01 00 53 00 . 5F 44 4C 4C 73 6D 00 33 ......S. _DLLsm.3 **File C:\FINDnFIX\NEWWIN.TXT aÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 > ¹G±  Windows÷ÿÿÿskõwx x
Ô
€¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 ÿÿÿÿÐÿÿÿvk  ˜


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  Ø(ÍW h
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  Ð  àÿÿÿvk  

°ºSpooler2ðÿÿÿy e s •0´Ñàÿÿÿvk  €

=pswapdisk h
°
ð
 X Ðÿÿÿvk  à


R¿TransmissionRetryTimeoutÐÿÿÿvk  €' 
ÊUSERProcessHandleQuotañjàÿÿÿh
°
ð
 X ˆ Ø Øÿÿÿvk  €

S AppInit_DLLsm 3

[Daemon]

Open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.

[Swede]

I cant delete the Entire FINDnFIX folder. The file WINOEK.333 has a write protection and I can't change that. What to do?

[Swede]

Daemon, I'm not able to download CWShredder 1.59.1 either. No connection with the server for the whole day. (I have 1.57.0 on my computer.) Stilll cannot delete WINOEK.333. Reg/Jonas

[Daemon]

You need to restart in Safe mode in order to have access to security tab on files and folders in "XP HOME EDITION"

How to take ownership of a file or folder in Windows XP

In Safe mode:

-RightClick on WINOEK.333/properties Advanced/Security/permissions \and take ownership giving yourself 'Full control'.

-Right click the 'junkxxx' folder itself. hit properties.

-Go to the security tab and click the advanced button. Check the box to reset permissions on all child objects. Hit apply. OK your way out.

-Delete 'junkxxx' folder

Try here for the latest version of CWShredder:

http://www.downloads.../CWShredder.exe

[Swede]

Daemon,

This is like hitting free-throws all the way ...

Here's the new log:

Logfile of HijackThis v1.97.7
Scan saved at 00:48:59, on 2004-07-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program\Microsoft IntelliType Pro\type32.exe
C:\Program\Microsoft IntelliPoint\point32.exe
C:\Program\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\iD2\CSP\iD2CertMover.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\id2scaps.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\Program\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

[Daemon]

I assume you recognise your IE start page entry? Otherwise everything looks OK - how is it running now?

[Swede]

Yes, my start page entry is correct! It seems to be running perfect. Haven't seen any signs of "bad things"! (and I saw a lot of them until yesterday...) I really!!! appreciate all the help you have given me. Best regards and tusen tack from Sweden! Jonas

[Daemon]

You're welcome - glad to help

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)

The subject of the email must be "Reopen". Include your post username and details about why you need it reopened, with a valid link to your post.