WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

How Do I Remove Cws.smartsearch.2

Started by derf , Jul 15 2004 04:28 PM

This topic is locked

12 replies to this topic

#1 derf

New Member

Authentic Member
15 posts

Posted 15 July 2004 - 04:28 PM

Logfile of HijackThis v1.98.0
Scan saved at 3:39:05 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\PAL Evidence Eliminator\Cleaner.exe
C:\Program Files\PAL SPYREM\spyrem.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fred\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fred\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Fred\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Fred\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fred\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Fred\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F6D124B1-76CA-4A98-91F8-97944AFEDC6A} - C:\WINDOWS\System32\gnn.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ PAL Evidence Eliminator] C:\Program Files\PAL Evidence Eliminator\Cleaner.exe
O4 - HKCU\..\Run: [Spyware Remover] C:\Program Files\PAL SPYREM\spyrem.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - {87C2D659-207B-4D7A-9455-B24D3750DC9C} - C:\WINDOWS\System32\gnn.dll
O18 - Filter: text/plain - {87C2D659-207B-4D7A-9455-B24D3750DC9C} - C:\WINDOWS\System32\gnn.dll

Advertisements

Register to Remove

#2 Daemon

Retired Staff-Malware Expert

Authentic Member
3,521 posts

Posted 16 July 2004 - 12:56 PM

To anyone other than the originator of this topic: do not copy this thread and try to fix your system or anyone elses by following it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

#3 derf

New Member

Authentic Member
15 posts

Posted 18 July 2004 - 02:02 PM

When I click to get to FindFix.exe, all I get is a blank page - - no program to download - - what should I try next??? Thanks derf

#4 Daemon

Retired Staff-Malware Expert

Authentic Member
3,521 posts

Posted 18 July 2004 - 02:31 PM

Try here

#5 derf

New Member

Authentic Member
15 posts

Posted 19 July 2004 - 09:43 AM

»»»»»»»»»»»»»»»»»»*** 100freeatlast.100free.com ***»»»»»»»»»»»»»»»» --The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder and is the destination for the file to be moved.. -*Previous directions will no longer work... »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» Microsoft Windows XP [Version 5.1.2600] »»»IE build and last SP(s) 6.0.2800.1106 SP1-Q832894-Q330994-Q837009-Q831167-Q823353 The type of the file system is NTFS. C: is not dirty. Mon 19 Jul 04 10:41:56 10:41am up 3 days, 16:39 »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»» The list will produce a small database of files that will match certain criteria. You must know how to ID the file based on the filters provided in the scan, as not all the files flagged are bad. Ex: read only files, s/h files, last modified date. size, etc. The filters provided should help narrow down the list, and hopefully pinpoint the culprit. Along with that,registry scan logged at the end should match the corresponding file(s) listed. »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Unless the file match the entire criteria, it should not be pointed to remove! »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» *For *Helpers/Mods and/or users that are not familiar with any of the items on the scan results- I recommend using an alternative, once you know what to look for! »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/19)»»»»»»»»»»»»»»»» »»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»* Scanning for file(s)... »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» »»»»» (*1*) »»»»» ......... »»Locked or 'Suspect' file(s) found... C:\WINDOWS\System32\WINAELJ.DLL +++ File read error \\?\C:\WINDOWS\System32\WINAELJ.DLL +++ File read error »»»»» (*2*) »»»»»........ **File C:\FINDnFIX\LIST.TXT WINAELJ.DLL Can't Open! »»»»» (*3*) »»»»»........ C:\WINDOWS\SYSTEM32\ winaelj.dll Wed Apr 28 2004 5:25:10p A...R 57,344 56.00 K 1 item found: 1 file, 0 directories. Total of file sizes: 57,344 bytes 56.00 K unknown/hidden files... No matches found. »»»»» (*4*) »»»»»......... Sniffing.......... Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Sniffed -> C:\WINDOWS\SYSTEM32\WINAELJ.DLL »»»»»(*5*)»»»»» **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT ¯ Access denied ® ..................... WINAELJ.DLL .....57344 28.04.2004 »»»»»(*6*)»»»»» fgrep: can't open input C:\WINDOWS\SYSTEM32\WINAELJ.DLL »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» »»»»»Search by size... C:\WINDOWS\SYSTEM32\ winaelj.dll Wed Apr 28 2004 5:25:10p A...R 57,344 56.00 K 1 item found: 1 file, 0 directories. Total of file sizes: 57,344 bytes 56.00 K No matches found. No matches found. Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Sniffed -> C:\WINDOWS\SYSTEM32\WINAELJ.DLL Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. »»Size of Windows key: (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448 »»Dumping Values........ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***) DeviceNotSelectedTimeout = 15 GDIProcessHandleQuota = REG_DWORD 0x00002710 Spooler = yes swapdisk = TransmissionRetryTimeout = 90 USERProcessHandleQuota = REG_DWORD 0x00002710 »»Security settings for 'Windows' key: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Users Full access BUILTIN\Administrators Full access NT AUTHORITY\SYSTEM »»Member of...: (Admin logon required!) User is a member of group DCKVY811\None. User is a member of group \Everyone. User is a member of group BUILTIN\Administrators. User is a member of group BUILTIN\Users. User is a member of group \LOCAL. User is a member of group NT AUTHORITY\INTERACTIVE. User is a member of group NT AUTHORITY\Authenticated Users. »»»»»»Backups created...»»»»»» 10:45am up 3 days, 16:42 Mon 19 Jul 04 10:45:26 A C:\FINDnFIX\keyback.hiv --a-- - - - - - 8,192 07-19-2004 keyback.hiv A C:\FINDnFIX\keys1\winkey.reg --a-- - - - - - 287 07-19-2004 winkey.reg *Temp backups... . .. keyback2.hi_ winkey2.re_ C:\FINDNFIX\ JUNKXXX Mon Jul 19 2004 10:41:54a .D... <Dir> 1 item found: 0 files, 1 directory. »»Performing string scan.... 00001150: vk @ f AppInit_DLLs G 00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ w i n a e l j . d l 000011D0:l Dist h vk UDeviceNotSelectedTimeout 00001210: 1 5 P 9 0 vk ' zGDIProce 00001250:ssHandleQuota" vk Spooler2 y e s _ 00001290: h 0 ` vk 5swapdisk vk 000012D0: . TransmissionRetryTimeout h 0 ` 00001310: vk ' " USERProcessHandleQuota0 00001350:1Q4 ~ P4 00001390: ~ P4 $ ~ 000013D0: O4 P ~ N4 00001410: | P N4 H 00001450: XK M4 p p VM4 00001490: zL4 , 000014D0: -L4 X IK4 00001510: J4 00001550: 8 J4 ` I4 00001590: # 0$ H4 000015D0: 4 : H4 ` ---------- WIN.TXT fùAppInit_DLLsÖæG¸ÿÿÿC -------------- -------------- $01180: AppInit_DLLs $011F7: UDeviceNotSelectedTimeout $01247: zGDIProcessHandleQuota $012E0: TransmissionRetryTimeout $01330: USERProcessHandleQuota0 -------------- -------------- C:\WINDOWS\System32\winaelj.dll -------------- -------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 A handle was successfully obtained for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key. This key has 0 subkeys. The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination. [AppInitDLLs] Ansi string : "C:\WINDOWS\System32\winaelj.dll" 0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O. 0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e. 0020 6d 00 33 00 32 00 5c 00 77 00 69 00 6e 00 61 00 | m.3.2.\.w.i.n.a. 0030 65 00 6c 00 6a 00 2e 00 64 00 6c 00 6c 00 00 00 | e.l.j...d.l.l...

#6 Daemon

Retired Staff-Malware Expert

Authentic Member
3,521 posts

Posted 19 July 2004 - 01:05 PM

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the WINAELJ.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

#7 derf

New Member

Authentic Member
15 posts

Posted 19 July 2004 - 07:54 PM

»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» Mon 19 Jul 04 20:56:33 8:56pm up 0 days, 0:15 Microsoft Windows XP [Version 5.1.2600] »»»IE build and last SP(s) 6.0.2800.1106 SP1-Q832894-Q330994-Q837009-Q831167-Q823353 The type of the file system is NTFS. C: is not dirty. »»»»»»»»»»»»»»»»»»***LOG2!***»»»»»»»»»»»»»»»» This log will confirm if the file was successfully moved, and/or the right file was selected. Scanning for file(s) in System32... »»»»»»» (1) »»»»»»» »»»»»»» (2) »»»»»»» **File C:\FINDnFIX\LIST.TXT »»»»»»» (3) »»»»»»» No matches found. Unknown/hidden files... No matches found. »»»»»»» (4) »»»»»»» Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. »»»»»(5)»»»»» **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT »»»»»(*6*)»»»»» »»»»»»» Search by size... No matches found. No matches found. No matches found. Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. »»»*»»» Scanning for moved file... »»»*»»» * result\\?\C:\FINDnFIX\junkxxx\WINAELJ.222 C:\FINDNFIX\JUNKXXX\ winaelj.222 Wed Apr 28 2004 5:25:10p A.... 57,344 56.00 K 1 item found: 1 file, 0 directories. Total of file sizes: 57,344 bytes 56.00 K Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15. Sniffed -> C:\FINDNFIX\JUNKXXX\WINAELJ.222 **File C:\FINDNFIX\JUNKXXX\WINAELJ.222 0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami 0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à. A----- WINAELJ .222 0000E000 17:25.10 28/04/2004 --a-- W32i - - - - 57,344 04-28-2004 winaelj.222 A C:\FINDnFIX\junkxxx\winaelj.222 CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock. MD5 Message Digest Algorithm by RSA Data Security, Inc. File name Size Date Time MD5 Hash ________________________________________________________________________ WINAELJ.222 57344 04-28-104 17:25 c185b36f9969d3a6d2122ba7cbc02249 File: <C:\FINDnFIX\junkxxx\winaelj.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249 »»Permissions: C:\FINDnFIX\junkxxx\winaelj.222 Everyone:F BUILTIN\Administrators:F BUILTIN\Administrators:F BUILTIN\Administrators:F Directory "C:\FINDnFIX\junkxxx\." Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM Allow 00000010 t--- 001F01FF ---- DSPO rw+x DCKVY811\Fred Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users Owner: DCKVY811\Fred Primary Group: DCKVY811\None Directory "C:\FINDnFIX\junkxxx\.." Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM Allow 00000010 t--- 001F01FF ---- DSPO rw+x DCKVY811\Fred Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users Owner: DCKVY811\Fred Primary Group: DCKVY811\None File "C:\FINDnFIX\junkxxx\winaelj.222" Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Owner: DCKVY811\Fred Primary Group: DCKVY811\None C:\FINDnFIX\junkxxx\winaelj.222;Everyone:RrRaRepWwAWaWePXDDcO C:\FINDnFIX\junkxxx\winaelj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO C:\FINDnFIX\junkxxx\winaelj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO C:\FINDnFIX\junkxxx\winaelj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO »»Size of Windows key: (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450 »»Dumping Values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows DeviceNotSelectedTimeout = 15 GDIProcessHandleQuota = REG_DWORD 0x00002710 Spooler = yes swapdisk = TransmissionRetryTimeout = 90 USERProcessHandleQuota = REG_DWORD 0x00002710 AppInit_DLLs = »»Security settings for 'Windows' key: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Users Full access BUILTIN\Administrators Full access NT AUTHORITY\SYSTEM 00001150: vk UDeviceNotSelecte 00001190:dTimeout 1 5 P h vk ' zGDIProce 000011D0:ssHandleQuota" 9 0 vk Spooler2 00001210: y e s _ vk 5swapdisk h 00001250: X vk . TransmissionRetryTimeout vk 00001290: ' " USERProcessHandleQuota0 h X 000012D0: vk S AppInit_DLLsm 3 ' t 00001310: ( ) * + , 00001350:- . / $ 0 4 1 D 2 00001390: T 3 4 5 6 7 $ 000013D0: 8 4 9 D : T ; t < 00001410:= > ? $ @ 4 A D B 00001450: T C d D t E F G 00001490: H J K L 000014D0:M N $ O 4 P D Q T R 00001510: d S t T U V W 00001550: ---------- NEWWIN.TXT AppInit_DLLsm -------------- -------------- $0117F: UDeviceNotSelectedTimeout $011C7: zGDIProcessHandleQuota $01270: TransmissionRetryTimeout $012A0: USERProcessHandleQuota0 $012F0: AppInit_DLLsm -------------- -------------- \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS \DEVICE\HARDDISKVOLUME2\FINDNFIX\FILES2\XCACLS.EXE \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCRT4.DLL O%\DEVICE\HARDDISKVOLUME2 \DEVICE\HARDDISKVOLUME2\ !\DEVICE\HARDDISKVOLUME2\FINDNFIX\ (\DEVICE\HARDDISKVOLUME2\FINDNFIX\FILES2\ \DEVICE\HARDDISKVOLUME2\WINDOWS\ )\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ d.... 0 Jul 19 20:54 . d.... 0 Jul 19 20:54 .. ....a 57344 Apr 28 17:25 winaelj.222 3 files found occupying 55296 bytes CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk C:\FINDNFIX\JUNKXXX WINAELJ.222 : crc16=3138 crc32=D5C9FB2E -------- C:\FINDNFIX\JUNKXXX\WINAELJ.222 InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2 =============================================================================== 57,344 bytes 5,734,400 cps Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01 VDIR v1.00 Path: C:\FINDNFIX\JUNKXXX\*.* ---------------------------------------+--------------------------------------- . <dir> 07-19-:4 20:54|WINAELJ 222 57344 A 04-28-:4 17:25 .. <dir> 07-19-:4 20:54| ---------------------------------------+--------------------------------------- 3 files totaling 57344 bytes consuming 65024 bytes of disk space. 17299968 bytes available on Drive C: No volume label

#8 derf

New Member

Authentic Member
15 posts

Posted 19 July 2004 - 07:56 PM

Added note from derf: I had to create a folder for junkxxx under findnfix as it was not present or at least I could not find this subfile with explore - - I did move winaelj.dll and then ran restore as instructed. The log is shown in previous post.

#9 Daemon

Retired Staff-Malware Expert

Authentic Member
3,521 posts

Posted 20 July 2004 - 01:04 AM

OK, well done. Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.

#10 derf

New Member

Authentic Member
15 posts

Posted 20 July 2004 - 08:24 PM

Instructions have been followed and email sent with junkxxx attached. derf

#11 derf

New Member

Authentic Member
15 posts

Posted 20 July 2004 - 08:41 PM

Logfile of HijackThis v1.98.0
Scan saved at 9:45:56 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\PAL Evidence Eliminator\Cleaner.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\PAL SPYREM\spyrem.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Netropa\OSD.exe
C:\My Download Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ PAL Evidence Eliminator] C:\Program Files\PAL Evidence Eliminator\Cleaner.exe
O4 - HKCU\..\Run: [Spyware Remover] C:\Program Files\PAL SPYREM\spyrem.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#12 derf

New Member

Authentic Member
15 posts

Posted 21 July 2004 - 09:00 AM

Daemon: The problem seems to be solved - - my internet homepage is no longer being changed to "about blank". I have tested my internet startup several times without a problem. Thanks for all your help. This fix was the right one for me. Derf

#13 Daemon

Retired Staff-Malware Expert

Authentic Member
3,521 posts

Posted 21 July 2004 - 11:56 AM

You're welcome - glad to help

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?

As this problem has been resolved the topic will be closed. If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)

The subject of the email must be "Reopen". Include your post username and details about why you need it reopened, with a valid link to your post.

Body Background

skin color theme