Jump to content


Photo

about: blank PLease advise WIN2K


  • Please log in to reply
7 replies to this topic

#1 hectorv418

hectorv418

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 02:59 PM

Dont know what else to do, ive think ive domne it all...
Heres log file


Logfile of HijackThis v1.97.7
Scan saved at 3:30:23 PM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\paradmin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com...nder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll
O2 - BHO: (no name) - {AAE3010A-D539-4DED-8C3E-2C0EF332D9AE} - C:\WINNT\system32\ffdic.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: Domain = schonfeld.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: NameServer = 10.180.1.254,204.52.175.202

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 03:02 PM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 hectorv418

hectorv418

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 03:27 PM

here it is
»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.
C: is not dirty.

Wed 06/30/2004
3:13pm up 0 days, 0:15

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group PARAMUS\Domain Users.
User is a member of group \Everyone.
User is a member of group BUILTIN\Users.
User is a member of group BUILTIN\Administrators.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.
User is a member of group PARAMUS\Domain Admins.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Thu Jun 19 2003 9:07:10p A.... 51,200 50.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 51,200 bytes 50.00 K

C:\WINNT\SYSTEM32\
notepad.exe Thu Jun 19 2003 9:03:18p A.... 51,200 50.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 51,200 bytes 50.00 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Thu Jun 19 2003 9:02:04p A.... 51,200 50.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 51,200 bytes 50.00 K
--a-- W32i APP ENU 5.0.2140.1 shp 51,200 06-19-2003 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows ® 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright © Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone



»»»»»»Backups created...»»»»»»
3:15pm up 0 days, 0:17
Wed 06/30/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-30-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 06-30-2004 winkey.reg

»»Performing 16bit string scan....
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

f a user that can launch a component grouped under the associated Win32
DCOMApplication
Windows
DeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota
ProviderRegistration
ObjectProviderRegistration
abstract
InteractionType
sint32
Values
PushVerify
QuerySupportLevels
string
ValueMap
WQL:UnarySelect
WQL:References
WQL:Associators
WQL:V1ProviderDefined
SupportsDelete
boolean
SupportsEnumeration
boolean
SupportsGet
boolean
SupportsPut
boolean
ObjectProviderRegistration
ClassProviderRegistration
ReferencedSetQueries
string
ResultSetQueries
string
UnsupportedQueries
string
ObjectProviderRegistration
InstanceProviderRegistration
ProviderRegistration
PropertyProviderRegistration
SupportsGet
boolean
SupportsPut
boolean
ProviderRegistration

**File C:\FINDnFIX\WIN.TXT


#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 03:43 PM

Hmmmm :scratchhead:

Based on your results I have to wonder.
You don't seem to have this variant, and you are missing the "AppInit_DLLs"
value from the Windows key.

In addition, your registry security is all messed up on the key.
The fact that the "everyone" group is added, makes be believe you renamed the key yourself w/o backing it up, first!

Incidentally, the original setting on this key should be as follows:

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.

»»Security settings for 'Windows' key:

Access Control List for Registry
key hklm\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Windows:

(NI)    ALLOW  Read        BUILTIN\Users
(IO)    ALLOW  Read        BUILTIN\Users
(NI)    ALLOW  Read        BUILTIN\Power Users
(IO)    ALLOW  Read        BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\
SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Windows:

Read          BUILTIN\Users
Read          BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


Have you followed any other
removal steps on your own, so far? Any removal tools?
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 hectorv418

hectorv418

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 03:46 PM

no just ran adaware .....and deleted keys in registry that it pointed to
but it kept coming back... am i screwed....
am i in fdisk territory???

#6 hectorv418

hectorv418

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 03:56 PM

im heading out and wont back till tommorow morning ill follow up first thing tommorow so, please post more info....on a possible resolution for this issue

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 04:07 PM

Not really...

But I can't pinpoint the problem on your log.

Do this for now:
Find this file:
C:\FINDnFIX\WIN.TXT
Copy it and attach into your next reply!

Open the C:\FINDnFIX\Files2\ Subfolder.
DoubleClick on the file ->un.exe
Then DoubleClick on this file:
->last.reg, answer 'yes' to the prompt!

Both should remove most bad entries.

Restart your computer and delete the
entire FINDnFIX folder from C:\
And 'junkxxx' empty folder created.

Restart your computer in safe mode, find
and delete both of these files, if exist:
C:\WINNT\dpe.dll<
C:\WINNT\system32\ffdic.dll<

Re-run hijackthis and fix check any of the remains, if exist:

*All R1/R0 lines
*O2 - BHO: (no name) -
{834261E1-DD97-4177-853B-C907E5D5BD6E} -
C:\WINNT\dpe.dll
*O2 - BHO: (no name) -
{AAE3010A-D539-4DED-8C3E-2C0EF332D9AE}
- C:\WINNT\system32\ffdic.dll
*All O13 - lines (2)

Re-run once again -In particular,
Latest CWShredder.exe and fully updated Ad-Aware!

In order to restore your security on the key,
you can follow the steps on this page:
In this section:

How can I synchronize with Windows 2000 default security settings?
However, that's not a critical issue.

When done with the above, post new hijackthis log as well!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 hectorv418

hectorv418

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 July 2004 - 08:08 AM

I think im good Ill keep you posted. Thank you very much....

here's the log

Logfile of HijackThis v1.97.7
Scan saved at 9:09:15 AM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\paradmin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briefing.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: Domain = schonfeld.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: NameServer = 10.180.1.254,204.52.175.202




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button