Hi guys - I pride myself on my secure, smooth-running systems but some bu**er has got me good 'n' proper here!

I was hit with the About:Blank problem a couple of days ago. I've been looking through different posts trying to take bits and pieces of advice for other people and use them to work out my own problem but, each time I think I've cracked it, it comes back as soon as I reload IE6.

I've reset the home page in Control Panel, then changed the keys for it in the registry, checked the Registry for Run, RunOnce, RunServices, etc. I can see the cause of what it's doing - using sp.html in the Temp folder and all that. I can delete the things that I think it's using to do it - the reg keys etc. What I can't do is work out where the hell it's starting from !

Can someone help me out please? I've tried AboutBuster v1.25 and some other spyware checker that was well-rated on Download.com. I've got rid of anything that I think looks suspicious in the HijackThis report but it keeps coming back. My Norton Internet Security 2004 and Norton Anti-Virus 2004 are bang up-to-date but, after looking at 53,000 files on my C:\ drive, they reckon there's nothing wrong.

Here's my fresh HJT log (you'll see that I've edited a couple of reg keys - Local Page - that it isn't changing so they aren't an issue, and you may notice that a dodgy IP address that it keeps trying to connect to is the last entry in the list):

Logfile of HijackThis v1.97.7
Scan saved at 00:35:13, on 09/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\My Documents\Downloads, updates and drivers\Applications\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\my documents\web site\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\my documents\web site\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btopenworld.com/
O2 - BHO: (no name) - {96249F38-CF90-4C91-A47E-0DCFDD5000CD} - C:\WINNT\system32\igon.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OLP-Tray] c:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://www.symantec.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB8E62F2-45A0-4F99-B052-A2665448FB0F}: NameServer = 194.74.65.85 194.72.9.55

By the way, I've removed quite a few little apps that I don't use very often this evening to try and make this log easier to read - it was a lot longer than that earlier on but I've still got the problem !

It happens to us all I'm afraid. You have to be on the ball to catch 'em out. Unfortunately you don't seem to have any Spyware Detection programs. Have a read of the Protect your PC For Free thread at the top of Spyware, Adware and Viruses forum to download some. You have to be careful with spyware detection programs from Download.com, quite a lot of them are rogue scanners.

About:Buster doesn't work on this variant, it requires another tool known as FindNFix. Instructions are below.

Restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://c:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\my documents\web site\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = e:\my documents\web site\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {96249F38-CF90-4C91-A47E-0DCFDD5000CD} - C:\WINNT\system32\igon.dll

Click Fix Checked

Then click Here to download FindnFix.exe. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt back here.

I hardly know anything about spyware really but I haven't installed any spyware detectors because, as you say, many of them are actually spyware themselves. I ought to take a look at those that are recommended here though.

OK, I've cleared those entries from HiJackThis, downloaded FINDnFIX and run the batch file. The log is below. In going back into Internet Explorer to get back to this forum, I noticed that the home page is now a proper About:Blank page - completely empty, not the spyware version. I'm hoping that means I'm sorted. However, I'm going to post my log here before I reboot just in case I never get back on!

Thanks for your quick response Owen - your help is much appreciated

---------------------------------------------------------------
Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894
The type of the file system is FAT32.
C: is not dirty.

Fri 09/07/2004
12:40am up 0 days, 0:15

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINNT\System32\LOGJD.DLL +++ File read error
\\?\C:\WINNT\System32\LOGJD.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
LOGJD.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
logjd.dll Tue 6 Jul 2004 13:22:30 ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\LOGJD.DLL

»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... LOGJD.DLL .....57344 06.07.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINNT\SYSTEM32\
logjd.dll Tue 6 Jul 2004 13:22:30 ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\LOGJD.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group P4-2400\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»» Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Tue 22 Jun 2004 14:15:18 A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Tue 22 Jun 2004 14:15:16 A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue 22 Jun 2004 14:15:18 A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 06-22-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft(R) Windows (R) 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000


»»»»»»Backups created...»»»»»»
12:41am up 0 days, 0:16
Fri 09/07/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-09-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-09-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Fri 9 Jul 2004 12:40:44 .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: 8 @
000011D0: vk 8 AppInit_DLLs C : \ W I N N T \ s
00001210:y s t e m 3 2 \ l o g j d . d l l vk h
00001250eviceNotSelectedTimeout 1 5 h vk '
00001290: GDIProcessHandleQuota vk Spooler
000012D0: y e s vk swapdisk vk 0
00001310: TransmissionRetryTimeout 9 0 h vk '
00001350: USERProcessHandleQuota
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
AppInit_DLLs
--------------
--------------
C:\WINNT\system32\logjd.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINNT\system32\logjd.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
0020 32 00 5c 00 6c 00 6f 00 67 00 6a 00 64 00 2e 00 | 2.\.l.o.g.j.d...
0030 64 00 6c 00 6c 00 00 00 | d.l.l...


I'm afraid we are not quite finished yet. You still have a locked DLL File on your system so its likely to come back.

Be sure to follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder.
- Locate the "MOVEit.bat" file, Right-Click
on it, select->edit:
The file will open as text file.
-Copy and paste the following line into the 'MOVEit' file, replacing it's contents:

move%WinDir%\System32\LOGJD.DLL%SystemDrive%\junkx xx\LOGJD.DLL

Be sure to Replace the text in the file with the command above!


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here.

Erm, I didn't actually have a MOVEIT.bat file in C:\FINDnFIX or any of its subdirectories. However, as you're instructions said to overwrite all of the text in it with the new command, I assumed it was safe enough to make my own MOVEIT.bat, which I've now done and copied the command in.

I'm about to run FIX.bat and wait for the reboot. Hopefully I'll be back in a few minutes!

Yeh creating one should be fine, as long as its in the right directory.

Feeling a bit better now Doc. Am I cured yet?!


Fri 09/07/2004
7:22pm up 0 days, 0:13

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894
The type of the file system is FAT32.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»
\\?\C:\WINNT\System32\LOGJD.DLL +++ File read error
C:\WINNT\System32\LOGJD.DLL +++ File read error

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT
LOGJD.DLL Can't Open!

»»»»»»» (3) »»»»»»»

C:\WINNT\SYSTEM32\
logjd.dll Tue 6 Jul 2004 13:22:30 ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\LOGJD.DLL

»»»»»(5)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... LOGJD.DLL .....57344 06.07.2004

»»»»»»» Search by size...


C:\WINNT\SYSTEM32\
logjd.dll Tue 6 Jul 2004 13:22:30 ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\LOGJD.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»*»»» Scanning for moved file... »»»*»»»



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


File not found - C:\FINDnFIX\junkxxx\*.*

»»Permissions:
There are no more files.

ERROR: There are no more files.

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINNT\\system32\\logjd.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINNT\system32\logjd.dll

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Notepad check....

C:\WINNT\
notepad.exe Tue 22 Jun 2004 14:15:18 A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Tue 22 Jun 2004 14:15:16 A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue 22 Jun 2004 14:15:18 A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 06-22-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft(R) Windows (R) 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: P
000011D0: vk DeviceNotSelectedTimeout 1 5 h
00001210: LastUrl vk ' GDIProcessHandleQuota
00001250: vk p Spooler y e s vk
00001290: swapdisk vk TransmissionRetryTimeout
000012D0: 9 0 h vk ' USERProcessHandleQuota
00001310: vk 8 8 AppInit_DLLs C : \ W I N N T \ s
00001350:y s t e m 3 2 \ l o g j d . d l l
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLs
--------------
--------------
--------------
C:\WINNT\system32\logjd.dll

Nearly there now. These are the last steps to clean it up now its fixed:

-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete the entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


Now run CWShredder
Click Fix, don't just scan. Let it fix everything it asks about.

Next run Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.

Reboot, then post follow up hijackthis log when done!