1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Wintools Problem - NEW One - Please Help

Discussion in 'Security and Privacy' started by Soccerguy, 2004/06/20.

Thread Status:
Not open for further replies.
  1. 2004/06/25
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    _____________________________________________________
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Ahead\InCD\InCDsrv.exe ****
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE ****
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe ??????????
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\Ati2evxx.exe ????
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe ????
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe ????
    C:\Program Files\Ahead\InCD\InCD.exe ****
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\ATI Multimedia\main\ATISched.EXE ????
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Qualcomm\Eudora\Eudora.exe ****
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe ****
    C:\Program Files\Qualcomm\Eudora\Plugins\Spamnix\spamnix.exe ****
    C:\Program Files\America Online 9.0\waol.exe ****
    C:\Program Files\America Online 9.0\shellmon.exe ****
    C:\Program Files\Common Files\Aol\aoltpspd.exe ****
    C:\HiJack This\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    ________________________________________________________

    My thoughts.

    There is a lot of stuff loading that is not realy needed by the system. I would suggest stopping all things marked with ****

    The items followed by ???? I have no idea what they are.

    Note.

    MAKE SURE that the Reclycle Bin has been emptied completely including any and all Norton Protected files before shutting down Norton Protection I have had that cause me problems.

    It would not surprise me one bit if AOL was not causing problems.

    Unless my education has been wrong, if you have to go to Safe Mode to delete a file it means the file is being used by somebody/something. And further more if you do delete it and it keeps coming back I believe proves it.

    I honestly think you are going to have to start shutting down EVERYTHING that is not needed by the system ( eudora, InCD, AOl and such ). Until HOPEFULLY you fine what is reloading the file.

    BillyBob
     
    Last edited: 2004/06/25
  2. 2004/06/25
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Very good possiblity a TROJAN is what keeps reloading the files, which is why I have asked repeatedly for a RAV scan. :rolleyes:
     

  3. to hide this advert.

  4. 2004/06/25
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    That is also VERY possible. And it would ( I believe ) also explain the need to go to the safe mode to delete a file.

    Also I see that the two latest log files appear to be different. There are things ( AOL for one ) in the latest that are not in the earlier one.

    This inconsistancey does not help in solving things. Get the system down to THE BASIC needs at startup and go from there.

    Am I thinking along the wrong lines there ?

    BillyBob
     
  5. 2004/06/25
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    I suggest these for removal.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {C8A0BFF3-7AB7-487E-B8CA-0CBC783B37A4} - C:\WINDOWS\System32\aefofib.dll

    Then Disable System Restore XP, and use MoveOnBoot to delete C:\WINDOWS\System32\aefofib.dll. Now reboot and go into Safe Mode and delete all files in C:\DOCUMENT AND SETTINGS\Justin\LOCAL SETTINGS\Temp. Then reboot in Normal and then enable System Restore and reboot to get a 'clean' restore point.
    If something does show up again, the online scan is definitely in order as suggested before. I do see that you have Norton installed, but you do not seem to understand that Norton can be compromised, some virui and trojans immediately target it. A second or third opinion is a very good idea.
    RAV Online Scan
    Online Trojan Scan
     
  6. 2004/06/26
    Soccerguy

    Soccerguy Inactive Thread Starter

    Joined:
    2004/06/20
    Messages:
    36
    Likes Received:
    0
    Here's my RAV Log for the scan

    Scan started at 6/25/2004 8:35:19 AM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINDOWS\win.exe - Trojan:Win32/StartPage.GH -> Infected
    C:\WINDOWS\system32\aefofib.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\WINDOWS\system32\calsdr.dll - TrojanDownloader:Win32/Rameh.B -> Infected
    C:\WINDOWS\system32\infamous_downloader.exe - TrojanDownloader:Win32/Small -> Infected
    C:\Documents and Settings\Justin\Application Data\Qualcomm\Eudora\Trash.mbx->(part0006:)->(IFRAME0001) - HTML/IFrame_Exploit* -> Infected
    C:\Documents and Settings\Justin\Application Data\Qualcomm\Eudora\In.mbx->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Program Files\Qualcomm\Eudora\Saved.mbx->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP13\A0000553.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP13\A0000588.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP13\A0000592.exe->(UPXW) - Trojan:Win32/Dialer.BH -> Suspicious
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP13\A0000594.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP13\A0000595.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP14\A0002622.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP15\A0002657.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP15\A0002658.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\System Volume Information\_restore{42929B41-783D-40E5-BD25-8F4BC8ED21E5}\RP15\A0002659.dll - Trojan:Win32/StartPage.IX -> Infected

    Scanned
    ============================
    Objects: 53734
    Directories: 5513
    Archives: 3324
    Size(Kb): 1489594
    Infected files: 13

    Found
    ============================
    Viruses found: 5
    Suspicious files: 3
    Disinfected files: 0
    Mail files: 379
     
  7. 2004/06/26
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    You need to disable System Restore, most of the infected files are in there, and XP is putting them back from there. After you disable, reboot. Then delete these files in Safe Mode.
    C:\WINDOWS\win.exe
    C:\WINDOWS\system32\aefofib.dll
    C:\WINDOWS\system32\calsdr.dll
    C:\WINDOWS\system32\infamous_downloader.exe
    Reboot into Normal, and make sure those files are gone. Then enable System Restore and reboot.
     
  8. 2004/06/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Do in this order.

    Install Move-on-Boot. You will have a new right click option for files. Open C:\WINDOWS, right click on win.exe, and select delete on next boot. Do the same for aefofib.dll, infamous_downloader.exe and calsdr.dll in C:\WINDOWS\system32.

    You have 3 in your mail. 1 in the trash can, 1 in the inbox and 1 saved. Get rid of them.

    Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

    Now reboot and scan again with HJT, then post the log.
     
  9. 2004/06/26
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    Also as a suggestion or two.

    Stop Eudora from loading a startup.

    As suggested cleanout the System Restore files. ( before doing any thing more. )

    Clean out the Eudora MailBoxes. ALL OF THEM.

    Make sure all of those references to Eudora ***.MBX files are deleted also. They MAY NOT delete with Eudora loaded.

    Now that I see " Trojan:Win32/StartPage.IX " it may well have come form E-MAIL. I do recall seing " StartPage " in an E-Mail thru MailWasher.

    Then after this cleanup Be more carefull with E-MAIL. I have had several in the last few days that AVG said were suspicious. MailWasher just sent them Bye-Bye .

    A note from one who came CLOSE to creating trouble for himself.

    " Unless you are 100% sure where it came from DO NOT OPEN E-MAIL. "

    BillyBob
     
    Last edited: 2004/06/26
  10. 2004/06/27
    Soccerguy

    Soccerguy Inactive Thread Starter

    Joined:
    2004/06/20
    Messages:
    36
    Likes Received:
    0
    Here's my latest scan log from RAV... If I want to fix the files that it is suspicious of, how do I do that? Will deleting those trash and inbox files delete my mail from Eudora???

    Scan started at 6/27/2004 9:25:06 PM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINDOWS\system32\fdokil.dll - Trojan:Win32/StartPage.IX -> Infected
    C:\Documents and Settings\Justin\Application Data\Qualcomm\Eudora\Trash.mbx->(part0006:)->(IFRAME0001) - HTML/IFrame_Exploit* -> Infected
    C:\Documents and Settings\Justin\Application Data\Qualcomm\Eudora\In.mbx->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
    C:\Program Files\Qualcomm\Eudora\Saved.mbx->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
     
  11. 2004/06/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Open your email mailbox. Delete the contents of the trash folder. There is an email in the inbox and one in the saved folder, probably with an attachment, that is possibly infected. Possibly even the same message in both. Try to locate and verify. If you right click one you suspect (an attachment) and select 'save target', then direct it to be saved on the desktop, you can then scan it with RAV by selecting 'scan a file' and navigating to it.....C:\Documents and Settings\Justin\Desktop\filename. You could also scan it with Norton. If you locate the suspicious emails and are still unsure what to do about them, fell free to PM me and I will give you my email address, to which you could forward me a copy, and I will check it/them out.

    Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

    Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

    Open C:\WINDOWS\system32 and delete the file fdokil.dll.

    Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.

    Uncheck the /safeboot box in msconfig and ok to reboot.

    Back in Windows, you can re-enable system restore.

    **Please run another HJT scan and post the log.
     
  12. 2004/06/28
    Soccerguy

    Soccerguy Inactive Thread Starter

    Joined:
    2004/06/20
    Messages:
    36
    Likes Received:
    0
    HJT Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:30:58 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\ATI Multimedia\main\ATISched.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\Qualcomm\Eudora\Eudora.exe
    C:\Program Files\Qualcomm\Eudora\Plugins\Spamnix\spamnix.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\Common Files\Aol\aoltpspd.exe
    C:\HiJack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {1D230670-72D2-41B1-9E8F-E911873926FA} - C:\WINDOWS\System32\fdokil.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe "
    O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1087710431399
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38157.2087615741
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{99310310-A351-4A94-8E8B-C12FB17EBE19}: NameServer = 205.188.146.146
     
  13. 2004/06/28
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Remove these entries

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    O2 - BHO: (no name) - {1D230670-72D2-41B1-9E8F-E911873926FA} - C:\WINDOWS\System32\fdokil.dll

    Open Windows Explorer by right clicking on the Start Button and selecting Explore. Immediately go to the toolbar at Tools\Folder Options, then click on View tab. Select to Show All Files, now scroll down and put a check mark in View Protected System Files, and Yes you want to enable this.
    Navigate to C:\DOCUMENTS AND SETTINGS\Justin\LOCAL SETTINGS\Temp\
    Then go to the Toolbar at Edit\Select All. Then right click on those files and select Delete. If any files remain, reselect those and use MoveOnBoot to delete them.
    Delete this file using MoveOnBoot.
    C:\WINDOWS\System32\fdokil.dll
     
  14. 2004/06/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Rescan with HJT when you've done what Mark suggested. If the entries are back, do the following.

    Place a check beside the following item and click fix.

    O2 - BHO: (no name) - {1D230670-72D2-41B1-9E8F-E911873926FA} - C:\WINDOWS\System32\fdokil.dll



    Download About:Buster from either of the following locations.

    http://www.atribune.org/downloads/AboutBuster.zip
    or
    http://tools.zerosrealm.com/AboutBuster.zip

    Close ALL Internet Explorer windows. This is a very important step!!

    Unzip to it's own folder. Open and double click AboutBuster.exe. Click ok, then start, then OK. Wait for it to finish, then copy the report to notepad and save.

    Reboot and run another HijackThis scan. Post the log along with the report from About:Buster.
     
  15. 2004/06/29
    Soccerguy

    Soccerguy Inactive Thread Starter

    Joined:
    2004/06/20
    Messages:
    36
    Likes Received:
    0
    New HJT Log...I did what you said and no luck...how do I fix my mailboxes in Eudora? I dont want to lost important emails of mine - how can I determine which email is infected?

    Logfile of HijackThis v1.97.7
    Scan saved at 2:10:58 PM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\ATI Multimedia\main\ATISched.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\HiJack This\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {F9833F01-006D-4F16-947E-7518BC45F768} - C:\WINDOWS\System32\fdokil.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe "
    O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  16. 2004/06/29
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    OK, now that the dll is gone, lets try fixing these entries again with HijackThis. Scan again and place a check next to the following entries. Close ALL other windows and click fix.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Justin\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {F9833F01-006D-4F16-947E-7518BC45F768} - C:\WINDOWS\System32\fdokil.dll (file missing)

    Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

    Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

    Now in safe mode, you will need to show hidden files and folders.

    Open C:\Documents and settings\Justin\Local Settings\temp, select all and delete.
    Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
    Uncheck the /safeboot box in msconfig and ok to reboot.

    Back in Windows, you can re-enable system restore.
    Run another HijackThis scan and post the log.

    Assume you ran About:Buster, but where's the log I asked for? Did you get any errors?

    Did you empty the trash folder in your email? Do you have anything in your inbox that you also have a copy of in the saved folder? Try running RAV again and click 'scan a folder' then navigate to the saved folder. C:\Program Files\Qualcomm\Eudora\Saved.mbx If you have to select 'scan a file' and see if it will let you navigate to the individual saved files and scan each one.
     
  17. 2004/06/30
    Soccerguy

    Soccerguy Inactive Thread Starter

    Joined:
    2004/06/20
    Messages:
    36
    Likes Received:
    0
    Hey all,

    Thanks for the conitnued help. Just when I thought I had this virus kicked, it came back! It seems to keep producing these bogus .dll in /system32/ dir and when I delete the .dll in safe mode, it makes a new one the next time I boot. This virus is a major pain and just want it to be fixed. Any NEW ideas....I do think the infected file has to do w/ my Eudora mail but if I delete the whole (Eudora) saved.mbx file, will that destroy all of my mail?

    About:buster didnt give me any errors...

    PLEASE HELP ...Im at the end of my rope w/ this virus
     
  18. 2004/06/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
  19. 2004/06/30
    Scott Smith

    Scott Smith Inactive Alumni

    Joined:
    2002/01/12
    Messages:
    1,950
    Likes Received:
    4
    Mark, that sounds like a good way to delete files in use. Aparently I have been sleeping and never saw that before. Can you give some more detail?
     
  20. 2004/06/30
    Soccerguy

    Soccerguy Inactive Thread Starter

    Joined:
    2004/06/20
    Messages:
    36
    Likes Received:
    0
    Here's the log from that file you asked me to run:


    »Â»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»*** freeatlast100.100free.com ***»Â»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»

    Microsoft Windows XP [Version 5.1.2600]
    The type of the file system is FAT32.
    C: is not dirty.

    Wed 06/30/2004
    3:15pm up 0 days, 7:23

    »Â»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»***LOG!***»Â»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»Ã‚»

    Scanning for file(s)...
    »Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»
    »Â»Ã‚»Ã‚»Ã‚» (*1*) »Â»Ã‚»Ã‚»Ã‚» .........
    »Â»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\SQLKEBI.DLL +++ File read error
    \\?\C:\WINDOWS\System32\SQLKEBI.DLL +++ File read error

    »Â»Ã‚»Ã‚»Ã‚» (*2*) »Â»Ã‚»Ã‚»Ã‚»........
    **File C:\FINDnFIX\LIST.TXT
    SQLKEBI.DLL Can't Open!

    »Â»Ã‚»Ã‚»Ã‚» (*3*) »Â»Ã‚»Ã‚»Ã‚»........

    C:\WINDOWS\SYSTEM32\
    sqlkebi.dll Thu Jun 10 2004 8:50:20p ....R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »Â»Ã‚»Ã‚»Ã‚» (*4*) »Â»Ã‚»Ã‚»Ã‚».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\SQLKEBI.DLL
    »Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»*»Â»Ã‚»

    »Â»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »Â»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »Â»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »Â»Member of...: (Admin logon required!)
    User is a member of group JUSTIN\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »Â» Service search:(different variant) ' "Network Security Service ", "__NS_Service_3 "...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »Â»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Aug 23 2001 12:00:00p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\
    notepad.exe Thu Aug 23 2001 12:00:00p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu Aug 23 2001 12:00:00p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-1148)
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »Â»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx "
    Permissions:
    NA

    Auditing:
    NA

    Owner: \Everyone

    Primary Group: \Everyone



    »Â»Ã‚»Ã‚»Ã‚»Ã‚»Backups created...»Â»Ã‚»Ã‚»Ã‚»Ã‚»
    3:21pm up 0 days, 7:29
    Wed 06/30/2004

    A C:\FINDnFIX\winBack.hiv
    --a-- - - - - - 8,192 06-30-2004 winback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 06-30-2004 winkey.reg

    »Â»Performing 16bit string scan....

    ---------- WIN.TXT
    fùAppInit_DLLsÖÂæG¸Ã¿Ãƒ¿Ãƒ¿C
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs "=" "
    "DeviceNotSelectedTimeout "= "15 "
    "GDIProcessHandleQuota "=dword:00002710
    "Spooler "= "yes "
    "swapdisk "=" "
    "TransmissionRetryTimeout "= "90 "
    "USERProcessHandleQuota "=dword:00002710

    Windows
    AppInit
    UDeviceNotSelectedTimeout
    zGDIProcessHandleQuota "
    Spooler2
    =pswapdisk
    TssionRetryTimeout
    USERProcessHandleQuota "
    DSVWj

    **File C:\FINDnFIX\WIN.TXT
            À^ÉÃØÿÿÿvk @ Ø   fùAppInit_DLLsÖÂæG¸Ã¿Ãƒ¿Ãƒ¿C : \ W I N D O W S \ S y s t e m 3 2 \ s q l k e b i . d l l D 5  ° Ãÿÿÿvk  X   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  Ø(ÃWðÿÿÿ9 0  ! Ãÿÿÿvk  €'   zGDIProcessHandleQuota "þÃ*ÿÿÿvk  È   °ÂºSpooler2ðÿÿÿy e s À  ° ( x ¨ ð Ã*ÿÿÿvk  €   =pswapdiskÃÿÿÿvk  h   R¿TransmissionRetryTimeoutÃ*ÿÿÿ° ( x ¨ ð  ` Ãÿÿÿvk  €'   0 USERProcessHandleQuota" p éÆ U‹Ã¬jÿÿ5Ê1 ÿ5ä1 d¡ Pd‰% QQÿ%T2 èâ¾ YÆ’eü è¼E ‰Ã±Ãƒ¨Ãƒ´,
    
     
  21. 2004/06/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    This will take couple or more steps to fix.
    Be sure to Follow the next set of steps carefully, in
    the exact order specified:


    -Open the FINDnFIX\Keys1 Subfolder!
    - Locate the "MOVEit.bat" file, Right-Click on
    it,select->edit:
    The file will open as text file.
    -Copy and paste the entire highlighted line in the following quote box
    (all one line) into the 'MOVEit' file, replacing it's contents:
    Be sure to Replace the text in the file with
    the command above!

    -Save the file and close.

    *Get ready to restart your computer:
    -In the same folder, DoubleClick on the "FIX.bat" file.
    You will be prompted by a popup -Alert to restart in 15 seconds.
    -Allow it to restart the computer!

    -On restart, Navigate to:
    C:\FINDnFIX\ main folder:
    -DoubleClick on the "RESTORE.bat" file.

    It will run and produce new log named log1.txt. Post it here!
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.