• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cavb212

popups/aboutblank hijack etc

19 posts in this topic

Hello, I read the faq, ran adaware and s&d, then ran hijack. The log follows this, basically I am riddled with mass pop ups, browser wont keep my home page (sets as about:blank) Any and all help is appreciated. Thanks

 

Logfile of HijackThis v1.97.7

Scan saved at 12:01:04 AM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\system32\rundll32.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\BacsTray.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\documents and settings\bob\local settings\temp\2K.exe

C:\PROGRA~1\Fast Ref Amen\Bike axis.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\WINDOWS\kdx\KHost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MProcessor\mprocessor.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\WINDOWS\TEMP\adef.dat

C:\Documents and Settings\Bob\Application Data\ttuh.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hugesearch.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {DA581485-16EC-4749-AEC3-8111A0E72DBF} - C:\WINDOWS\System32\hglflda.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: loadcamp - {94D29647-7D1E-0B1A-0DF7-1AFBAC066204} - C:\PROGRA~1\Sendidle\view up.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [2K] C:\documents and settings\bob\local settings\temp\2K.exe

O4 - HKLM\..\Run: [oneupload] C:\PROGRA~1\Fast Ref Amen\Bike axis.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O15 - Trusted Zone: http://www.mt-download.com

O15 - Trusted Zone: http://www.myexexex.com

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Share this post


Link to post
Share on other sites

I downloaded and ran find and fix here is the report:

 

 

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Fri 06/25/2004

4:44pm up 0 days, 0:13

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\6FO4SVC.DLL +++ File read error

\\?\C:\WINDOWS\System32\6FO4SVC.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\FINDnFIX\LIST.TXT

MSDKLI.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

6fo4svc.dll Thu Jun 24 2004 12:05:50a ..SHR 316,776 309.35 K

ajaamon.dll Thu Jun 24 2004 12:05:50a A.SHR 316,776 309.35 K

ayptif.dll Thu Jun 24 2004 12:05:50a A.SHR 316,776 309.35 K

msdkli.dll Thu Jun 17 2004 12:14:32a A...R 57,344 56.00 K

 

4 items found: 4 files (3 H/S), 0 directories.

Total of file sizes: 1,007,672 bytes 984.05 K

 

C:\WINDOWS\SYSTEM32\

6fo4svc.dll Thu Jun 24 2004 12:05:50a ..SHR 316,776 309.35 K

ajaamon.dll Thu Jun 24 2004 12:05:50a A.SHR 316,776 309.35 K

ayptif.dll Thu Jun 24 2004 12:05:50a A.SHR 316,776 309.35 K

 

3 items found: 3 files, 0 directories.

Total of file sizes: 950,328 bytes 928.05 K

 

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\6FO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\AJAAMON.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\AYPTIF.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\MSDKLI.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group D46HHW31\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x D46HHW31\Bob

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: D46HHW31\Bob

 

Primary Group: D46HHW31\None

 

 

 

»»»»»»Backups created...»»»»»»

4:44pm up 0 days, 0:13

Fri 06/25/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-25-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-25-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLs±

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota3

AppInit

 

**File C:\FINDnFIX\WIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' b USERProcessHandleQuota3 àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk > Ë AppInit_DLLs± Æ  ÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s d k l i . d l l r v 1 . t m p . d l l ed§ 

 

 

I have no idea what this all means but if someone will help Im sure I can be easily walked through it.

 

Thanks,

 

Brian

Share this post


Link to post
Share on other sites

Thanks for helping this is my dads laptop and hes pretty disturbed. Here is the test result

 

Files Found---

C:\WINDOWS\System32\6fO4SVC.DLL

C:\WINDOWS\System32\AhSMSEXT.DLL

C:\WINDOWS\System32\AmCTRES.DLL

C:\WINDOWS\System32\ArAAMON.DLL

C:\WINDOWS\System32\AvLUI.DLL

C:\WINDOWS\System32\AxTXPRXY.DLL

 

 

Guardian Key--- is called: GuardianNAFHZ

Asynchronous 000

DllName C:\WINDOWS\system32\6fO4SVC.DLL

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {3698F2B7-7027-43E6-916E-D17C9565E4D4}

IDex CS3

 

User Agent String---

{3698F2B7-7027-43E6-916E-D17C9565E4D4}

 

 

 

 

Let me know what to do Thanks

Share this post


Link to post
Share on other sites

Ok...

You have a combination of pests there.

My FINDnFIX makes certain backups and in the current

state it's not advised to use them.

Delete the entire FINDnFIX from C:\

You will be downloading it again at a later stage...

 

First, run VX2 finder, select all files on the scan to be deleted!

 

You will be prompted to restart on one file file that can't be deleted.

Do so and scan again, be sure no files are showing in the:

-Files found-

Section.

 

Lastly, use all the tabs on the right pane to fix the rest:

-Guardian.reg

-Restore policy

-User agent

 

Restart your computer, run VX2finder

again and make sure all these sections are empty:

-Files Found---

-Guardian Key--- is called:

-User Agent String---

 

If so, next:

Go to Add/remove programs, find and uninstall:

-WinTools

-Window Search (or Window Searching)

 

Restart computer again, check in program

files and delete these folders :

-Sendidle

-Fast Ref Amen

From program files

-WinTools

From Program Files\Common files

Delete these files:

C:\WINDOWS\TEMP\adef.dat<

C:\Documents and Settings\Bob\

Application Data\ttuh.exe<

 

Go to start/run/type:

%temp%

 

Empty entire contents of temp folder!

 

Run hijackthis and fix checked:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [2K] C:\documents and settings\bob\local settings\temp\2K.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://www.mt-download.com

O15 - Trusted Zone: http://www.myexexex.com

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

 

Reboot again and into your next reply post

another hijackthis log, and last scan results from VX2finder!

 

If they turn up clean(er) we can proceed

with the FINDnFIX, not before!

Share this post


Link to post
Share on other sites

Ok here ishow things are going:

 

 

The folder WinTools was not there so I continued withyour notes despite that. I did however do a search and found the phrase WinTools in a textfile called "drwtsn32" any idea if this should go?

 

The file "C:\WINDOWS\TEMP\adef.dat" was not found.

 

 

I am gettingan access denied message when i try to delete ":\Documents and Settings\Bob\Application Data\ttuh.exe". Says makesure it is notwrite protected or still in use.

 

So I am stopping here for nowto await further instructions. I can not thank you enough for all the time you are taking. Hope to hear back soon

 

 

Regards,

 

Brian

Share this post


Link to post
Share on other sites

Drwatson is Windows debugger that logs crash events.

Nothing to do with it.

 

'Access deny' message means the file is inuse.

 

The logical thing to do is to open Taskmanager and

check the processes list:

 

If "ttuh.exe" is present, terminate the process and delete the file.

 

Another option is to restart in Safe mode when

most tasks are not active, find the aformentioned

pest and delete.

 

Providing all else was accomplished, post

fresh hijackthis log and last/current scan results from VX2 finder!

Share this post


Link to post
Share on other sites

Ok here is the recent fnf log:

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

 

 

 

 

 

Here is the hijack this log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:07:12 PM, on 6/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\BacsTray.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MProcessor\mprocessor.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Bob\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Bob\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Bob\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Bob\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Bob\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Bob\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hugesearch.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {FBCF6C4B-B9A0-427C-9EF7-5F4A23E26997} - C:\WINDOWS\System32\hglflda.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Bob\Application Data\ttuh.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

 

 

 

Also I cant seem to delet the following file, despit booting in safe mode:

 

Perflib_Perfdata_4f0 (not sure if it is needed)

 

Thanks seems like we are making progress

 

Brian

Share this post


Link to post
Share on other sites

Perflib_xxx is not related and is part of Windows! :scratchhead:

 

Some progress, though not all was done:

 

Here is the hijack this log:

 

Logfile of HijackThis v1.97.7

 

Running processes:

 

...........................................

C:\Documents and Settings\Bob\Local Settings\

Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\

Bob\Application Data\ttuh.exe

 

First put hijackthis in a normal location.

Surely you know that it should not run from zip or temp internet files.

Any backups made are lost that way!

Next, if you deleted 'ttuh' from the Application Data folder, fix

checked the entries above with hijackthis.

I have no idea what that 'MProcessor' is, but it has no

version/properties and all I see are 'hits' on infected logs.

Unless known to you, restart computer and

delete the MProcessor folder from program files.

 

When the items above are no longer showing in hijackthis, proceed:

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

Share this post


Link to post
Share on other sites

ok all seems to be going well, here is the f&f log:

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

Mon 06/28/2004

2:54pm up 0 days, 0:14

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\MSDKLI.DLL +++ File read error

\\?\C:\WINDOWS\System32\MSDKLI.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

MSDKLI.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

msdkli.dll Thu Jun 17 2004 12:14:32a ....R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\MSDKLI.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group D46HHW31\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x D46HHW31\Bob

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: D46HHW31\Bob

 

Primary Group: D46HHW31\None

 

 

 

»»»»»»Backups created...»»»»»»

2:54pm up 0 days, 0:15

Mon 06/28/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-28-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-28-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLs±

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

zGDIProcessHandleQuota"

Spooler2

5swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota3

AppInit

 

**File C:\FINDnFIX\WIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' b USERProcessHandleQuota3 àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk > Ë AppInit_DLLs± Æ  ÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s d k l i . d l l r v 3 . t m p . d l l ed§ 

 

Thanks again for your patience with this :)

 

Brian

Share this post


Link to post
Share on other sites

Well done!

coast is clear to proceed..

 

Be sure to Follow the next set of steps carefully, in

the exact order specified:

 

 

-Open the FINDnFIX\Keys1 Subfolder!

- Locate the "MOVEit.bat" file, Right-Click

on it,select->edit:

The file will open as text file.

-Copy and paste the entire hilited line in the following quote box

(all one line) into the 'MOVEit' file, replacing it's contents:

move %WinDir%\System32\MSDKLI.DLL %SystemDrive%\junkxxx\MSDKLI.DLL

 

Be sure to Replace the text in the file with the command above!

 

-Save the file and close.

 

*Get ready to restart your computer:

-In the same folder, DoubleClick on the "FIX.bat" file.

You will be prompted by popup -Alert to restart in 15 seconds.

-Allow it to restart the computer!

 

-On restart, Navigate to:

C:\FINDnFIX\ main folder:

-DoubleClick on the "RESTORE.bat" file.

 

It'll run and produce new log. (log1.txt) post it here!

===================================

*Note:

Some *crippled version(s) of XP would not let you edit .bat files!

 

In case of any errors while editing the 'MOVEit' or no

edit options, etc

Don't follow the steps above but

Use the alternate steps in the following quote box:

*Get ready to restart:

- DoubleClick on the "FIX.bat" file in the 'FINDnFIX' folder.

-Wait for the  popup -Alert to restart your computer in 15 seconds.

 

On restart, navigate to System32 folder:

-Locate and select the "MSDKLI.DLL" file (as it will be visible)

And use the folder's top menu>edit>

move to folder...

Select the C:\junkxxx as destination and move

the "MSDKLI.DLL" there.

--------------------------------------------------------------

 

Run  the "RESTORE.bat", file , wait for

and post the 'log1.txt' file!

If the first set of steps (MOVEit/edit/paste/save, etc)

was successful, there is no need to follow the alternate steps above!

-------------------------------------------------------------

Share this post


Link to post
Share on other sites
Well done!

coast is clear to proceed..

 

Be sure to Follow the next set of steps carefully, in

the exact order specified:

 

 

-Open the FINDnFIX\Keys1 Subfolder!

- Locate the "MOVEit.bat" file, Right-Click

on it,select->edit:

The file will open as text file.

-Copy and paste the entire hilited line in the following quote box

(all one line) into the 'MOVEit' file, replacing it's contents:

move %WinDir%\System32\MSDKLI.DLL %SystemDrive%\junkxxx\MSDKLI.DLL

 

Be sure to Replace the text in the file with the command above!

 

-Save the file and close.

 

*Get ready to restart your computer:

-In the same folder, DoubleClick on the "FIX.bat" file.

You will be prompted by popup -Alert to restart in 15 seconds.

-Allow it to restart the computer!

 

-On restart, Navigate to:

C:\FINDnFIX\ main folder:

-DoubleClick on the "RESTORE.bat" file.

 

It'll run and produce new log. (log1.txt) post it here!

===================================

*Note:

Some *crippled version(s) of XP would not let you edit .bat files!

 

In case of any errors while editing the 'MOVEit' or no

edit options, etc

Don't follow the steps above but

Use the alternate steps in the following quote box:

*Get ready to restart:

- DoubleClick on the "FIX.bat" file in the 'FINDnFIX' folder.

-Wait for the  popup -Alert to restart your computer in 15 seconds.

 

On restart, navigate to System32 folder:

-Locate and select the "MSDKLI.DLL" file (as it will be visible)

And use the folder's top menu>edit>

move to folder...

Select the C:\junkxxx as destination and move

the "MSDKLI.DLL" there.

--------------------------------------------------------------

 

Run  the "RESTORE.bat", file , wait for

and post the 'log1.txt' file!

If the first set of steps (MOVEit/edit/paste/save, etc)

was successful, there is no need to follow the alternate steps above!

-------------------------------------------------------------

That's alot of steps!

Will anyone now admit these browser hijackers are as bad as viruses?

I lost a full day of work over one.

 

Bob

Share this post


Link to post
Share on other sites

ok I had to do this via the second set of instructions but I was able to follow them and I think it did what you set out for it to do.

 

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Tue 06/29/2004

5:58pm up 0 days, 0:04

 

Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

* result\\?\C:\junkxxx\MSDKLI.DLL

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

C:\JUNKXXX\

msdkli.dll Thu Jun 17 2004 12:14:32a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\MSDKLI.DLL

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\MSDKLI.DLL

Run Time(sec) 0

**File C:\JUNKXXX\MSDKLI.DLL

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

rem replace this text with your given command...

 

-ra-- W32i - - - - 57,344 06-17-2004 msdkli.dll

A R C:\junkxxx\msdkli.dll

File: <C:\junkxxx\msdkli.dll>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\junkxxx\msdkli.dll BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

D46HHW31\Bob:F

BUILTIN\Users:R

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x D46HHW31\Bob

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: D46HHW31\Bob

 

Primary Group: D46HHW31\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

File "C:\junkxxx\msdkli.dll"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x D46HHW31\Bob

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: D46HHW31\Bob

 

Primary Group: D46HHW31\None

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

AppInit_DLLs±

 

---------- NEWWIN.TXT

AppInit_DLLsÿÿÿÿ

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

000012F0: 01 00 00 00 01 00 79 00 . 5F 44 4C 4C 73 FF FF FF ......y. _DLLsÿÿÿ

**File C:\FINDnFIX\NEWWIN.TXT

Ñ_åàÿÿÿvk € 5swapdisk h ° ð X Ðÿÿÿvk à . TransmissionRetryTimeoutÐÿÿÿvk €' b USERProcessHandleQuota3 àÿÿÿh ° ð X ˆ Ø Øÿÿÿvk € y AppInit_DLLsÿÿÿÿ

 

 

 

and in response to Bob, look at when I first posted and keep in mind I was working on this for 4 days before I found this web site and the help of freeatlast, my new found idol whom I will be praying to nightly ;)

 

-Brian

Share this post


Link to post
Share on other sites

Good progress this time! :cool:

 

Last step(s):

 

 

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip) and open your email client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

When done, restart your computer and

Delete and entire 'FINDnFIX' file+folder(s)

From C:\, and be sure the C:\junkxxx folder

was deleted (as part of the cleanup process)

 

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular,

CWShredder.exe and fully updated Ad-Aware!

 

 

Post follow up hijackthis log when done! ;)

Share this post


Link to post
Share on other sites

ok I think we killed it ;) here goes:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:20:27 PM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RegSrvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\BacsTray.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\winlogon.exe

C:\HiJack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ranger25.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

 

 

Let me know if it looks clean it seems to. IE seems to keep the homepage now, and no popups about spyware.

 

Keep the fingers crossed.

 

Brian

 

PS should I defrag when this is all done?

Edited by cavb212

Share this post


Link to post
Share on other sites

Defrag is a good idea.

Clean your temp/temp internet files as well.

 

Snip this in hijackthis:

 

*R0 - HKCU\Software\Microsoft\Internet Explorer\

Toolbar,LinksFolderName =

 

You're all set! :thumbsup:

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0