Jump to content

about:blank Problem log attach .. Help


Recommended Posts

Some service or exe keeps creating a window.dat file .... This one is really pissing me off !!! Any help would be great.

Doug

Logfile of HijackThis v1.99.1

Scan saved at 9:47:16 PM, on 11/28/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe

C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Doug\Desktop\HijackThis2.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133152909209

O19 - User stylesheet: C:\WINDOWS\windows.dat

Link to post
Share on other sites

Hello rocksteady and Welcome! :D

Sorry you are having malware trouble.

You have a rootkit that is causing your problem and there are a few hoops that are required to jump through in order to completely eliminate this infection, but I need to see your entire HijackThis log. This infection is causing the O4 entries of the log to be missing.

1.) Please enable all hidden files and folders in Windows. For instructions click here

2.) Download the eScan Antivirus Toolkit here.

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

3.) Download and install the latest version of Ad-Aware SE here

NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.

Please configure the program by following these instructions here.

Before scanning click on "Check for updates now" to make sure you have the latest reference file.

Please do not run a scan with Ad-Aware yet.

4.) Please download RegSrch.vbs here. Save it to your desktop.

5.) Copy the contents of the Quote Box to Notepad. Name the file as ExtraSystemService3.bat. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

@echo off

sc stop ExtraSystemService3

pause

sc delete ExtraSystemService3

%systemdrive%

cd %WinDir%

attrib -r -s -h windows.dat

del windows.dat

cd system32\drivers\

attrib -r -s -h systemsvr.sys

del systemsvr.sys

Now double-click on ExtraSystemService3.bat

6.) Please reboot into Safe Mode. For instructions click here

Get into Safe Mode using the F8 Key on your keyboard:

  • 1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
    2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
    3.) Select the option for Safe Mode using the up down arrow keys.
    4.) Then press Enter on your keyboard to boot into Safe Mode.
    5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).

7.) From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:

  • 1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
    2.) Double-click on the mwavscan.com file; this will open the eScan program.
    3.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are checked.
    4.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
    5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
    6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed.

8.) From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

9.) Reboot the PC back into Windows and open RegSrch.zip, extract, and double-click RegSrch.vbs and in the search window enter windows.dat and click OK. After the scan, click File, Save As, name the file martfinder.txt and save it to your desktop. Now do another search and enter styles in the search window and click OK. When the search has completed, open the martfinder.txt file, scroll down to the bottom of the contents of the windows.dat search, and copy and paste the results of styles search in the martfinder.txt file. Please post another HijackThis log with the results of the RegSrch scan here for review.

Link to post
Share on other sites

SirJon,

YOU ARE THE MAN !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thanks So Much !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Great Instuctions !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I Believe it worked !!!!!!

Question what is you favorite toolbar (Yahoo,Google,Microsoft,Other)

Thanks Again

Doug

The first file did not seem to attach ...

Thanks Again

Logfile of HijackThis v1.99.1

Scan saved at 8:46:51 PM, on 11/30/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe

C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Doug\Desktop\HijackThis2.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133152909209

martfinder.txt

martfinder.txt

Link to post
Share on other sites

Unfortunately, we are not out of the woods with this thing yet.

Now copy the contents of the Quote Box to Notepad. Name the file as rootkit.bat. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

sc stop ExtraSystemService3 >>%SystemDrive%\report.txt

pause

sc delete ExtraSystemService3 >>%SystemDrive%\report.txt

regedit.exe /s %SystemDrive%\clear.reg

cd %windir%

attrib -r -s -h windows.dat

del windows.dat

cd system32\drivers\

attrib -r -s -h systemsvr.sys

del systemsvr.sys

If exist %windir%\system32\drivers\systemsvr.sys echo. systemsvr.sys is still present>>%SystemDrive%\report.txt

If exist %windir%\windows.dat echo. windows.dat is still present>>%SystemDrive%\report.txt

echo Finished, now restart your PC.

exit

Now double-click on rootkit.bat

This batch file will generate a text file called report.txt. Save this file to your desktop.

Download "silent runners" from here.

For instructions click here.

  • 1.) Save it to the desktop in a new folder named SilentRunners.
    2.) Double-click silentrunners.vbs, and it will scan for a few minutes and will create a log file in the silentrunners folder. This log file will be called "startup programs <computername>date"
    3.) Copy and paste the log here in this thread for review.

NOTE: If you get "script warning" from your antivirus program, please allow the entire script to run. It is not malicious; it is just making a log file of items in your startups and other registry information.

Now please copy and paste the contents of report.txt and the silent runners log here in this thread for review.

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.