Jump to content


Photo

FINDnFIX Reply to 'freeatlast'-followup


  • Please log in to reply
1 reply to this topic

#1 ECKPRJ

ECKPRJ

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 07:44 PM

In reply to my original posting of DELETED REGISTRY KEY APPEAR ON REBOOT, I was advised to post my HIJACKTHIS log, which I did. I was then asked by FREEATLAST to run FINDnFIX. I ran it and posted a log a few says ago, but got no reply. Subsequently, problems still exist: I still get entries that AD AWARE identifies as potential browser hijackers, the IE Browser will not hold a home page entry - it reverts after reboot to either www.msn.com, or about:blank. My computer does not allow me to run the online virus checker HOUSECALL from trendmicro.com, and I find there are two programs that have become corrupted, and after I uninstalled them thoroughly, I cannot reinstall them uncorrupted.

I have posted the latest FINDnFIX log in the hope that it will help; I would really appreciate guidance.

Many thanks.


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Tue 06/29/2004
7:21pm up 0 days, 21:37
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\KBDGAJO.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBDGAJO.DLL +++ File read error
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
KBDGAJO.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\WINDOWS\SYSTEM32\
kbdgajo.dll Wed Jun 23 2004 6:04:34p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDGAJO.DLL
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group SERVER\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SERVER\Peter
Allow 0000001B -co- 001F01FF ---- DSPO rw+x \CREATOR OWNER
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Users

Owner: SERVER\Peter

Primary Group: SERVER\None



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
7:22pm up 0 days, 21:38
Tue 06/29/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-26-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-26-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠGŞ   C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota3

**File C:\FINDnFIX\WIN.TXT
        ě   vk @ ě   f¨AppInit_DLLsÍ?ŠGŞ   C : \ W I N D O W S \ S y s t e m 3 2 \ k b d g a j o . d l l 975F ░ đ   vk  X   └UDeviceNotSelectedTimeout­   1 5  ( ­   9 0  Ű=t└đ   vk  Ç'   zGDIProcessHandleQuota"■Ó   vk  ╚   ░║Spooler2­   y e s


#2 ECKPRJ

ECKPRJ

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 04:21 PM

BUMP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button