Jump to content


Photo

Cool web search changes about:blank homepage


  • This topic is locked This topic is locked
10 replies to this topic

#1 lachesis

lachesis

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 05:56 AM

Posted Image

This is what happens when I open my browser, I have downloaded CWS, and hijackthis:

HijackThis Logfile:

Logfile of HijackThis v1.97.7
Scan saved at 11:54:33, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Danny\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Danny\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Danny\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Danny\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Danny\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Danny\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E7A69F97-159B-4CB6-96F1-6F569F4E69E4} - C:\WINDOWS\System32\ibbca.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38021.4067361111
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

And the startup list:

StartupList report, 29/06/2004, 11:54:50
StartupList version: 1.52
Started from : C:\spyware\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\spyware\HijackThis.exe
C:\WINDOWS\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Acrobat 6.0\Distillr\acrotray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
WildTangent CDA = RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {1C78AB3F-A857-482e-80C0-3A1E5238A565}
(no name) - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\WINDOWS\System32\ibbca.dll - {E7A69F97-159B-4CB6-96F1-6F569F4E69E4}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab

[strprint.trprints]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MCPTranscriptPrint.ocx
CODEBASE = https://partnering.one.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38021.4067361111

[WTHoster Class]
InProcServer32 = C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll
CODEBASE = http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,411 bytes
Report generated in 0.063 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Thanks for help

#2 lachesis

lachesis

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 07:12 AM

^ ^ ^ ^ ^ ^ ^ ^ ^

BUMP BUMP BUMP

#3 Trinom

Trinom

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 07:23 AM

I had the same problem recently, but I fixed it I don't really know how lol...

I think I have gone in "Config..." on Hijackthis, and change "Default Start Page", "Default Search Page", "Default Search Assistant" and "Default Search Customize" who were change for strange urls ^^

Then I fixed lines R1 or R0 with "Start page = xxxx" and other things who were strange :)


But I'm not sure then you can try ;)

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 07:33 AM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 lachesis

lachesis

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 08:03 AM

Thanks!!!

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» 

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.
 
29/06/2004 
  2:00pm  up 0 days,  0:52
 
 »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»» 
 
Scanning for file(s)... 
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» 
»»»»» (*1*) »»»»» ......... 
 »»Locked or 'Suspect' file(s) found... 
 
 
C:\WINDOWS\System32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error
 
 »»»»» (*2*) »»»»»........ 
**File C:\FINDnFIX\LIST.TXT
HLP.DLL      Can't Open!
IMAGEHLP.DLL Can't Open!
IPNATHLP.DLL Can't Open!
LOG.DLL      Can't Open!
RASADHLP.DLL Can't Open!
XOLEHLP.DLL  Can't Open!
 
 »»»»» (*3*) »»»»»........ 

C:\WINDOWS\SYSTEM32\
   hlp.dll        Mon 28 Jun 2004  16:37:24   A...R         57,344    56.00 K
   log.dll        Mon  3 May 2004  11:24:58   A...R         57,344    56.00 K

2 items found:  2 files, 0 directories.
   Total of file sizes:  114,688 bytes    112.00 K
 
unknown/hidden files... 

No matches found.
 
 »»»»» (*4*) »»»»»......... 
Sniffing.......... 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LOG.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» 
 
 »»Size of Windows key: 
 (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) 
 
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448
 
 »»Dumping Values........ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk = 
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
 
  »»Security settings for 'Windows' key: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-IO) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access  SPRINGFIELD\Leanne
(ID-IO) ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read         	 BUILTIN\Users
QWCEN-DS--      BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM
Full access    SPRINGFIELD\Leanne


»»Member of...: (Admin logon required!) 
User is a member of group SPRINGFIELD\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
 
»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...
 
[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.

 
 »»Dir 'junkxxx' was created with the following permissions... 
(FAT32=NA) 
Directory "C:\junkxxx"
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000000 t--- 001F01FF ---- DSPO rw+x SPRINGFIELD\Danny
        Allow   0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
        Allow   00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
        Allow   00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
        Allow   00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: SPRINGFIELD\Danny

    Primary Group: SPRINGFIELD\None

 
 
»»»»»»Backups created...»»»»»» 
  2:01pm  up 0 days,  0:53
29/06/2004 
 
A          C:\FINDnFIX\winBack.hiv
--a--    -   -   -               -   -      8,192 06-29-2004 winback.hiv
A          C:\FINDnFIX\keys1\winkey.reg
--a--    -   -   -               -   -        287 06-29-2004 winkey.reg
 
»»Performing  16bit string scan.... 

---------- WIN.TXT
AppInit_DLLs'
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
DeviceNotSelectedTimeout
Handle
GDIProcessHandleQuotak
dlSpoolerq
Noswapdisk
TransmissionRetryTimeout
USERProcessHandleQuotao
 
**File C:\FINDnFIX\WIN.TXT


#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 08:40 AM

You have 2 files there! :scratchhead:

I suggest you proceed with these steps, in this exact order:

*Get ready to restart your computer:
- Open the C:\FINDnFIX\Keys1\ Subfolder
-DoubleClick on the "FIX.bat" file
-You will be prompted by popup Alert to restart in 15 seconds.
-Allow it to restart the comuter!
-------------------------------------------------------------------------
On restart, navigate to System32 folder:
-Locate and select these files, one at a time:
-hlp.dll
-log.dll
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move both
"hlp.dll" and "log.dll" to the C:\junkxxx folder
-----------------------------------------------------------------------
Go back to C:\FINDnFIX\ main folder and
Run the "RESTORE.bat", file , wait for
and post the 'log1.txt' file!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 lachesis

lachesis

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 09:44 AM


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» 

 

29/06/2004 

  3:43pm  up 0 days,  0:02



Microsoft Windows XP [Version 5.1.2600]

The type of the file system is NTFS.

C: is not dirty.

 

 »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»» 

Scanning for file(s)... 

 

»»»»»»» (1) »»»»»»» 

\\?\C:\junkxxx\HLP.111 +++ File read error

 

»»»»»»» (2) »»»»»»» 

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»» 



No matches found.



No matches found.

 

»»»»»»» (4) »»»»»»» 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



 

»»»*»»» Scanning for moved file... »»»*»»» 



C:\JUNKXXX\

   hlp.111        Mon 28 Jun 2004  16:37:24   A...R         57,344    56.00 K

   log.111        Mon  3 May 2004  11:24:58   A...R         57,344    56.00 K



2 items found:  2 files, 0 directories.

   Total of file sizes:  114,688 bytes    112.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



Sniffed -> C:\JUNKXXX\HLP.111

Sniffed -> C:\JUNKXXX\LOG.111

 



Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\HLP.111                                 

BAD or MISSING File:

 

Run Time(sec) 0 

 

rem replace this entire line with your given command... 

 

	c:\junkxxx\hlp.111

-ra--    -   -   -               -   -     57,344 06-28-2004 hlp.111

	c:\junkxxx\log.111

-ra--    -   -   -               -   -     57,344 05-03-2004 log.111

A    R     C:\junkxxx\hlp.111

A    R     C:\junkxxx\log.111

File: <C:\junkxxx\hlp.111>  File: <C:\junkxxx\log.111>   

»»Permissions: 

C:\junkxxx\hlp.111

Directory "C:\junkxxx\."

    Permissions:

        Type    Flags    Inh. Mask     Gen. Std. File Group or User

        ======= ======== ==== ======== ==== ==== ==== ================

        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

        Allow   00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

        Allow   00000000 t--- 001F01FF ---- DSPO rw+x SPRINGFIELD\Danny

        Allow   0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

        Allow   00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

        Allow   00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

        Allow   00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users



    Owner: SPRINGFIELD\Danny



    Primary Group: SPRINGFIELD\None



Directory "C:\junkxxx\.."

    Permissions:

        Type    Flags    Inh. Mask     Gen. Std. File Group or User

        ======= ======== ==== ======== ==== ==== ==== ================

        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

        Allow   00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

        Allow   0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

        Allow   00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

        Allow   00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

        Allow   0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users

        Allow   00000000 t--- 001200A9 ---- -S-- r--x \Everyone



    Owner: BUILTIN\Administrators



    Primary Group: NT AUTHORITY\SYSTEM



File "C:\junkxxx\hlp.111"

File "C:\junkxxx\log.111"

 

 »»Size of Windows key: 

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) 

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

 »»Dumping Values: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	SZ	

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	SZ	

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    DeviceNotSelectedTimeout = 15

    GDIProcessHandleQuota = REG_DWORD 0x00002710

    Spooler = yes

    swapdisk = 

    TransmissionRetryTimeout = 90

    USERProcessHandleQuota = REG_DWORD 0x00002710

    AppInit_DLLs = 

 

  »»Security settings for 'Windows' key: 

 



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!



Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW  Read       	 BUILTIN\Users

(ID-IO) ALLOW  Read       	 BUILTIN\Users

(ID-NI) ALLOW  QWCEN-DS--    BUILTIN\Power Users

(ID-IO) ALLOW  QWCEN-DS--    BUILTIN\Power Users

(ID-NI) ALLOW  Full access  BUILTIN\Administrators

(ID-IO) ALLOW  Full access  BUILTIN\Administrators

(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM

(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM

(ID-NI) ALLOW  Full access  SPRINGFIELD\Leanne

(ID-IO) ALLOW  Full access  CREATOR OWNER



Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read         	 BUILTIN\Users

QWCEN-DS--      BUILTIN\Power Users

Full access    BUILTIN\Administrators

Full access    NT AUTHORITY\SYSTEM

Full access    SPRINGFIELD\Leanne







---------- WIN.TXT

AppInit_DLLs'



---------- NEWWIN.TXT

AppInit_DLLsm

**File C:\FINDnFIX\NEWWIN.TXT

**File C:\FINDnFIX\NEWWIN.TXT

00001360: 01 00 00 00 01 00 53 00 . 5F 44 4C 4C 73 6D 00 33  ......S.  _DLLsm.3

**File C:\FINDnFIX\NEWWIN.TXT


#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 09:56 AM

Ok... Well done!

You need some special steps, next:

-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete and entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done!

DoubleCheck if the C:\junkxxx folder was moved/deleted.
If not, you are likely to get access deny when trying to delete it!
In that case:

How to take ownership of a file or folder in Windows XP


-RightClick on both files, one at a time in
the C:\junkxxx folder, properties
Advanced/Security/permissions \
and take ownership giving yourself 'Full control'.

-Right click the 'junkxxx' folder itself. hit properties.

-Go to the security tab and click the advanced button.

check the box to reset permissions on all child objects.

Hit apply. ok
-Delete 'junkxxx' folder.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 lachesis

lachesis

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 June 2004 - 10:58 AM

cheers

worked a treat

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 12:46 PM

:thumbsup:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 June 2004 - 02:07 PM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button