StarDestroyer.Net BBS

Posted: **2005-05-27 06:39am**

Yeah, so I boot up my comp a few minutes ago (home comp), and suddenly its not letting me use AIM because of 'Error Loading C:\DOCU~1\ALEXAN~1.T3H\LOCALS~1\Temp\se.dll'
Already ran Spybot and HJT, heres my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:16 AM, on 05/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alexander.T3HUB3RCOMP\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ALEXAN~1.T3H\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ALEXAN~1.T3H\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4FB5E052-7983-474B-BC83-A355F0507989} - C:\WINDOWS\System32\amfj.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemij32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B92F133-5814-4631-89F8-27EAA38BCAD8}: NameServer = 209.143.0.10 209.143.22.182
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B92F133-5814-4631-89F8-27EAA38BCAD8}: NameServer = 209.143.0.10 209.143.22.182
O18 - Filter: text/html - {5171C5B2-6E9A-44DE-8AC1-C3CA7429E44B} - C:\WINDOWS\System32\amfj.dll
O18 - Filter: text/plain - {5171C5B2-6E9A-44DE-8AC1-C3CA7429E44B} - C:\WINDOWS\System32\amfj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe (file missing)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ALEXAN~1.T3H\LOCALS~1\Temp\se.dll/spage.html
Look familiar? I tried deleting it, but it simply came back 2 seconds later.

Posted: **2005-05-27 11:16am**

To nuke spyware found with HJT, you have to start the computer in Safe Mode, so it won't load the spyware processes. The active processes will lock their parent files so you can't kill them. If they don't start, the files are unprotected and can be safely removed.

Posted: **2005-05-27 11:43am**

Captain tycho: It's as GrandMasterTerwynn says, plus most spyware these days will load multiple executables, each of which can restore all of the others. They also can hijack "default" IE screens like about:blank, create unkillable services, or link themselves into your TCP/IP stack and effectively hold your Internet connection hostage with a deadman switch. The last fortunately isn't the case with your log. Boot into Safe Mode and kill the following entries:

Code: Select all

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ALEXAN~1.T3H\LOCALS~1\Temp\se.dll/spage.html 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ALEXAN~1.T3H\LOCALS~1\Temp\se.dll/spage.html 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank 
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank 
O2 - BHO: (no name) - {4FB5E052-7983-474B-BC83-A355F0507989} - C:\WINDOWS\System32\amfj.dll
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemij32.exe
O18 - Filter: text/html - {5171C5B2-6E9A-44DE-8AC1-C3CA7429E44B} - C:\WINDOWS\System32\amfj.dll 
O18 - Filter: text/plain - {5171C5B2-6E9A-44DE-8AC1-C3CA7429E44B} - C:\WINDOWS\System32\amfj.dll

StarDestroyer.Net BBS

Temporary file access restricted? Wtf

Temporary file access restricted? Wtf