Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT Log

Started by Gnilsia , Aug 13 2004 03:00 PM

  • Please log in to reply

#1
Gnilsia
Posted 13 August 2004 - 03:00 PM

Gnilsia

    New Member

  • Member
  • Pip
  • 3 posts
i'm not sure what the infection that's ruining my computer, about blank comes up everywhere and i cant read my emails anymore. i've tried downloading plenty of anti-spyware programmes, anyway this my hjt log
Logfile of HijackThis v1.98.1
Scan saved at 21:54:06, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\TBPanel.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
E:\Program Files\QuickTime\qttask.exe
C:\Program Files\Xtray\xtray_link.exe
E:\program files\zango\zango.exe
E:\WINDOWS\mukqr.exe
E:\Program Files\webHancer\Programs\whAgent.exe
E:\Program Files\webHancer\Programs\whSurvey.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Warez P2P Client\warez.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Aisling\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\DOCUME~1\Aisling\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://E:\DOCUME~1\Aisling\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\DOCUME~1\Aisling\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://E:\DOCUME~1\Aisling\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://E:\DOCUME~1\Aisling\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://E:\DOCUME~1\Aisling\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - E:\Program Files\TV Media\TvmBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar3.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - E:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {F9BF22B0-4064-44E8-930A-ECE02F2FD74E} - E:\WINDOWS\System32\hde.dll
O3 - Toolbar: Startnow - {1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257} - E:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - E:\Program Files\zSearch\zSearch.dll
O4 - HKLM\..\Run: [Gainward] E:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] E:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [zSPGuard] e:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SpyBlocs] E:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [sgobkjhz] E:\WINDOWS\System32\dexwvbqc.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"
O4 - HKLM\..\Run: [Spyware Stormer] E:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [zango] e:\program files\zango\zango.exe
O4 - HKLM\..\Run: [kvctr] E:\WINDOWS\mukqr.exe
O4 - HKLM\..\Run: [webHancer Agent] "E:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "E:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Wast] E:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [AdRoarUpdate] E:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [zSearch] E:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [TV Media] E:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [jopa] E:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [warez] "E:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [zSearch] E:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [TV Media] E:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Date Manager.lnk = E:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = E:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PrecisionTime.lnk = E:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://xxxtrayicon.com/xtrayinst.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.c...ionale_ver3.CAB
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessen...etupProject.cab
O16 - DPF: {99410CDE-6F16-42CE-9D49-3807F78F0287} (ZangoInstaller Class) - http://infinity.zang...b?productid=542
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...aler/604485.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-mo...t/cabs/mmed.cab
O18 - Filter: text/html - {9626E228-0745-4F2C-8293-45B912030505} - E:\WINDOWS\System32\hde.dll
O18 - Filter: text/plain - {9626E228-0745-4F2C-8293-45B912030505} - E:\WINDOWS\System32\hde.dll
  • 0

Advertisements

#2
ditto
Posted 13 August 2004 - 03:15 PM

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
This hijack is more difficult to remove than most, and requires a three step process, but hang with us and we'll get rid of it. <_<

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
then hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
  • 0

#3
Gnilsia
Posted 19 August 2004 - 08:53 AM

Gnilsia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
thanks <_<
the value for AppInit_DLLs was E:\WINDOWS\System32\kbdk.dll

and the find n fix log is as follows


*** freeatlast100.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894-Q831167
The type of the file system is NTFS.
E: is not dirty.

16/08/2004
7:20pm up 0 days, 0:21

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...

E:\WINDOWS\System32\KBDK.DLL +++ File read error
\\?\E:\WINDOWS\System32\KBDK.DLL +++ File read error

(*2*) ........
**File E:\FINDnFIX\LIST.TXT
KBDK.DLL Can't Open!
MSREV23.DLL Can't Open!

(*3*) ........

E:\WINDOWS\SYSTEM32\
kbdk.dll Mon 10 May 2004 1:43:06 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> E:\WINDOWS\SYSTEM32\KBDK.DLL


(*5*)
**File E:\WINDOWS\SYSTEM32\DLLXXX.TXT
Access denied ..................... KBDK.DLL .....57344 10.05.2004
Access denied ..................... MSREV23.DLL .......446 01.07.2004

*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group HOMECOMPUTER\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Notepad check....

E:\WINDOWS\
notepad.exe Thu 23 Aug 2001 13:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

E:\WINDOWS\SYSTEM32\
notepad.exe Thu 23 Aug 2001 13:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

E:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Thu 23 Aug 2001 13:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "E:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x HOMECOMPUTER\Aisling
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HOMECOMPUTER\Aisling

Primary Group: HOMECOMPUTER\None



Backups created...
7:21pm up 0 days, 0:22
16/08/2004

A E:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 08-16-2004 winback.hiv
A E:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 08-16-2004 winkey.reg

Performing string scan....
00001150: ?
00001190: ! vk : f AppInit_
000011D0:DLLs G E : \ W I N D O W S \ S y s t e m 3 2 \ k b d k . d
00001210:l l n vk P UDeviceNotSelectedTimeout
00001250: 1 5 @ 9 0 | vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s n
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' R USERProcessHandleQuota0 x
00001390: Q 2 ! ! p ! 6 3 ~ ! p H
000013D0: 2 p % `@ Q 2 ! ! p !
00001410: 6 3 ~ ! # | Q 2 p % % | ~ %`@ Q
00001450: 2 ! ! p ! 6 3 ~ ! 2 | `@
00001490: Q 2 ! ! p ! 6 3 ~ | !
000014D0:! `@ Q 2 ! ! p ! 6
00001510: 3 ~ | ! 2 | p ~ ! `@ Q 2 !
00001550:

---------- WIN.TXT
fAppInit_DLLs֍GE
--------------
E:\WINDOWS\System32\kbdk.dll
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


**File E:\FINDnFIX\WIN.TXT
!vk :    fAppInit_DLLs֍GE : \ W I N D O W S \ S y s t e m 3 2 \ k b d k . d l l n   vk  P   UDeviceNotSelectedTimeout1 5  @ 9 0  | vk  '   zGDIProcessHandleQuota"vk     Spooler2y e s n    p   vk    =pswapdiskvk  `   RTransmissionRetryTimeout  p    X vk  '   R USERProcessHandleQuota0 x   Q2

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP