Tuesday, 15 February 2005
Fuck DBJ.exe
I finally got Pete's computer working last night at around 11 PM. The problems were due to a vast consipiracy including, but not limited to:
- A conflict between a DLink wireless card and his ASUS motherboard,
- TCP/IP and Winsock corruption that was a result of installing/uninstalling the aforementioned wireless card 14 or 15 times in hopes of making it work.
- A worm called wuamgre.exe.
- Another worm called dbj.exe.
After I figured out the DLink conflict and the TCP/IP/Winsock issue, it took me a long time to figure out the other problems. I would be on the internet for a few minutes and then all of a sudden I'd get a "Page Cannot Be Displayed Error." I could still ping out to other websites, but I couldn't get IE or Firefox to work properly. Rebooting or logging out and logging back in would give me another four or five minutes, but that was it. Eventually I found wuamgre and dbj, but it took many many hours.
I suspect that I am one of the first people on Earth who has dealt with the dbj worm. A google search for "dbj.exe" turned up exactly two hits as of this morning at 9:06 AM. Searches for "dbj virus" and "dbj worm" had similar results.
For those who will come after me, I will post my HijackThis log and remedy after the break, but first I will preach:
It is absolutely imperative that you keep your system synchronized with the continuous barrage of Windows critical system updates. Pete's computer was brand spanking new out of the box, and as soon as he turned it on there were TWELVE critical updates that needed to be installed. I suspect the worms that crippled his computer snuck by in the short interval between when he first connected to the net and when I got home a week later and installed the updates.
If you should lapse on this, or get lazy, or decide that you're too cool for updates, you will be punished.
Now, for those poor saps infected with dbj, here's what I did to get rid of it:
If you don't already have it, you must first download a copy of HijackThis here.
Run HijackThis and check to see if there's are lines in there resembling these:
O4 - HKLM\..\Run: [ff] dbj.exe
O4 - HKLM\..\RunServices: [ff] dbj.exe
O4 - HKCU\..\Run: [ff] dbj.exe
If so, you must reboot into Windows Safe Mode before attempting any fixes. To do this, restart your computer and hit F8 repeatedly while it reboots. Eventually you'll be confronted with a DOS dialog asking you which operating system to boot into. Choose "Windows Safe Mode".
Run HijackThis and check EVERY LINE with a reference to dbj.exe. When you're sure you've got them all, click "Fix Selected" and HijackThis should remove them from the list.
Next, go to Start->Search and search for files and folders named "dbj.exe". MAKE SURE you've got "search hidden files" checked under "Advanced Options" in the search dialog.
It should come up with a file named dbj.exe in C:\WINDOWS\system32\. Rename this file to "dbj.exeFUCKDBJ" (i.e. change the extension so that windows doesn't recognize the file as executable). Or, if you're feeling really saucy delete the file altogether (and remember to empty your recycle bin).
Now restart your computer, and that should do the trick.
For completeness' sake here is my HijackThis log:
Scan saved at 10:41:17 PM, on 15/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\dbj.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\-\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ff] dbj.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [ff] dbj.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ff] dbj.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
As always, I assume no responsibility for your computer. This worked for me, but if you try my fix and it screws up your computer then tough shit. Don't even think about suing me.
Of course, if it works then I will accept your undying gratitude, your money and possibly your firstborn.
Posted by flow Frazao on February 15, 2005 at 05:44 PM in Web/Tech | Permalink
you WERE my first born. you summunagun.
Posted by: Darth | Feb 15, 2005 10:00:06 PM
I'll never rule the universe with you, helmethead.
Posted by: Luke | Feb 16, 2005 10:02:58 PM
TrackBack URL for this entry:
http://www.typepad.com/t/trackback/1852552
Listed below are links to weblogs that reference Fuck DBJ.exe: