Jump to content


Photo

Please help me


  • Please log in to reply
4 replies to this topic

#1 noobie

noobie

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 01:22 PM

:wtf: Im new to the forum so please be bare with me.....I ran hijack this and this is wat came up in the log please help.

Logfile of HijackThis v1.97.7
Scan saved at 1:21:26 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sdkzp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\atlug.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fxtxo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fxtxo.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fxtxo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fxtxo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fxtxo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fxtxo.dll/sp.html#96676
O2 - BHO: (no name) - {45FBA509-DAA5-97CD-E115-6D6D199279E0} - C:\WINDOWS\system32\ieac.dll
O4 - HKLM\..\Run: [sdkzp.exe] C:\WINDOWS\system32\sdkzp.exe
O4 - HKLM\..\RunOnce: [apiug32.exe] C:\WINDOWS\apiug32.exe
O4 - HKLM\..\RunOnce: [sdkxz.exe] C:\WINDOWS\system32\sdkxz.exe

#2 noobie

noobie

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 02:18 PM

i got this far i need some help with the rest :wtf:


»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Sat 06/26/2004
2:14pm up 0 days, 1:34
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

C:\WINDOWS\SYSTEM32\
auhai.dll Fri May 28 2004 11:25:36p A.SH. 70,656 69.00 K
fxtxo.dll Thu Jun 17 2004 2:40:36p A.SH. 70,656 69.00 K
gqgvu.dll Sun Jun 20 2004 5:50:34a A.SH. 70,656 69.00 K
sysxf.dll Fri Apr 16 2004 2:30:02a A.SH. 91,136 89.00 K
vopai.dll Thu Jun 3 2004 8:38:40p A.SH. 70,656 69.00 K
wdpzk.dll Sun Jun 20 2004 6:57:06p A.SH. 70,656 69.00 K
zkhkv.dll Mon May 31 2004 8:26:12a A.SH. 70,656 69.00 K

7 items found: 7 files, 0 directories.
Total of file sizes: 515,072 bytes 503.00 K

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\AUHAI.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FXTXO.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\GQGVU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SYSXF.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\VOPAI.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDPZK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ZKHKV.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access VALUED-7B9600FA\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access VALUED-7B9600FA\Owner


»»Member of...: (Admin logon required!)
User is a member of group VALUED-7B9600FA\None.
User is a member of group \Everyone.
User is a member of group VALUED-7B9600FA\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x VALUED-7B9600FA\Owner
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: VALUED-7B9600FA\Owner

Primary Group: VALUED-7B9600FA\None



»»»»»»Backups created...»»»»»»
2:16pm up 0 days, 1:36
Sat 06/26/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-26-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 06-26-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

3/3Z3
3d3v3
Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
,<><(
<c<h<v<
=!=1=B=g=l=z=
>-><>L>s>
?C?H?X?
?n?y?
0&0<0B0G0Q0Y0e0j0p0x0
1-131;1
1F1N1Y1a1g1l1q1v1
1"2'2,2;2F2N2Y2
2i2t2
3%3*3<3J3k3q3
4%4+434=4H4N4V4
4c4h4s4x4
6I6N6
6f6q6
1 1$1(1,1014181<1
1D1H1L1P1T1X1
1d1h1l1p1t1x1
2 2(20282
2H2P2X2
2h2p2x2
4 4$4(4,4044484<4
4D4H4L4P4T4X4
4d4h4l4p4t4x4
5 5$5(5,5054585<5
5D5H5L5P5T5X5
5d5h5l5p5t5x5
6 6$6(6,6064686<6
6D6H6L6P6T6X6
6d6h6l6p6t6x6

**File C:\FINDnFIX\WIN.TXT


#3 noobie

noobie

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 02:50 PM

:weep:
»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Sat 06/26/2004
2:46pm up 0 days, 2:06
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

C:\WINDOWS\SYSTEM32\
auhai.dll Fri May 28 2004 11:25:36p A.SH. 70,656 69.00 K
fxtxo.dll Thu Jun 17 2004 2:40:36p A.SH. 70,656 69.00 K
gqgvu.dll Sun Jun 20 2004 5:50:34a A.SH. 70,656 69.00 K
sysxf.dll Fri Apr 16 2004 2:30:02a A.SH. 91,136 89.00 K
vopai.dll Thu Jun 3 2004 8:38:40p A.SH. 70,656 69.00 K
vwpkv.dll Tue Jun 15 2004 12:49:26p A.SH. 70,656 69.00 K
wdpzk.dll Sun Jun 20 2004 6:57:06p A.SH. 70,656 69.00 K
zkhkv.dll Mon May 31 2004 8:26:12a A.SH. 70,656 69.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 585,728 bytes 572.00 K

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\AUHAI.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FXTXO.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\GQGVU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SYSXF.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\VOPAI.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\VWPKV.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDPZK.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ZKHKV.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access VALUED-7B9600FA\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access VALUED-7B9600FA\Owner


»»Member of...: (Admin logon required!)
User is a member of group VALUED-7B9600FA\None.
User is a member of group \Everyone.
User is a member of group VALUED-7B9600FA\Debugger Users.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x VALUED-7B9600FA\Owner
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: VALUED-7B9600FA\Owner

Primary Group: VALUED-7B9600FA\None



»»»»»»Backups created...»»»»»»
2:47pm up 0 days, 2:07
Sat 06/26/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-26-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 06-26-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

3/3Z3
3d3v3
Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
,<><(
<c<h<v<
=!=1=B=g=l=z=
>-><>L>s>
?C?H?X?
?n?y?
0&0<0B0G0Q0Y0e0j0p0x0
1-131;1
1F1N1Y1a1g1l1q1v1
1"2'2,2;2F2N2Y2
2i2t2
3%3*3<3J3k3q3
4%4+434=4H4N4V4
4c4h4s4x4
6I6N6
6f6q6
1 1$1(1,1014181<1
1D1H1L1P1T1X1
1d1h1l1p1t1x1
2 2(20282
2H2P2X2
2h2p2x2
4 4$4(4,4044484<4
4D4H4L4P4T4X4
4d4h4l4p4t4x4
5 5$5(5,5054585<5
5D5H5L5P5T5X5
5d5h5l5p5t5x5
6 6$6(6,6064686<6
6D6H6L6P6T6X6
6d6h6l6p6t6x6

**File C:\FINDnFIX\WIN.TXT


#4 noobie

noobie

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 03:17 PM

Please someone help tell me wat exactly i need to do to get this crap of my comp :gack:

#5 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 28 June 2004 - 09:52 PM

noobie, the tool by freeatlast is for a different variant of the CWS infection.

The Ad-Aware update of June 26 seems to fix the variant that you have.

Run Ad-Aware with the latest update, and there will be just a few R0 and R1 left to fix with HijackThis.

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Run a new HijackThis scan and post it here.

Edited by Fireflyer, 28 June 2004 - 09:54 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button