Jump to content


Photo

FINDnFIX log for about:blank hijack


  • Please log in to reply
1 reply to this topic

#1 wizzahd

wizzahd

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 12:21 PM

any info would be appreciated ^_^

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» 
 
Fri 07.02.2004 
  1:19pm  up 0 days,  0:02

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s) 
6.0.2800.1106 SP1-Q832894-Q831167-Q837009
The type of the file system is NTFS.
C: is not dirty.
 
 »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»» 
Scanning for file(s) in System32... 
 
»»»»»»» (1) »»»»»»» 
 
»»»»»»» (2) »»»»»»» 
**File C:\FINDnFIX\LIST.TXT
 
»»»»»»» (3) »»»»»»» 

No matches found.

No matches found.
 
»»»»»»» (4) »»»»»»» 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 
»»»*»»» Scanning for moved file... »»»*»»» 
* result\\?\C:\junkxxx\KBDNHJ.222
 

C:\JUNKXXX\
   kbdnhj.222     Thu Jun 24 2004   9:25:44p  A....         57,344    56.00 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  57,344 bytes     56.00 K
 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\KBDNHJ.222
 
**File C:\JUNKXXX\KBDNHJ.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69  gDevice.  .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01  ceSetup.  2.....ą.
 
A----- KBDNHJ  .222 0000E000 21:25.44 24/06/2004
 
move %WinDir%\System32\kbdnhj.dll %SystemDrive%\junkxxx\kbdnhj.dll
 
--a-- W32i   -   -               -   -     57,344 06-24-2004 kbdnhj.222
A          C:\junkxxx\kbdnhj.222
File: <C:\junkxxx\kbdnhj.222>CRC-32       : D5C9FB2EMD5          : C185B36F 9969D3A6 

D2122BA7 CBC02249 
»»Permissions: 
C:\junkxxx\kbdnhj.222 Everyone:(special access:)                               

SYNCHRONIZE
                               FILE_EXECUTE
 
                      NT AUTHORITY\SYSTEM:F 
                      BUILTIN\Administrators:F 

Directory "C:\junkxxx\."
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: BUILTIN\Administrators

    Primary Group: WIZZAHD\None

Directory "C:\junkxxx\.."
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: BUILTIN\Administrators

File "C:\junkxxx\kbdnhj.222"
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000000 t--- 00100020 ---- ---- ---x \Everyone
        Allow   00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: BUILTIN\Administrators

    Primary Group: WIZZAHD\None

 
 »»Size of Windows key: 
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) 
 
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
 
 »»Dumping Values: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	

yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	

SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	

SZ	
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk = 
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = 
 
  »»Security settings for 'Windows' key: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Windows:
(ID-NI) ALLOW  Read        	Everyone
(ID-IO) ALLOW  Read        	Everyone
(ID-NI) ALLOW  Read        	BUILTIN\Users
(ID-IO) ALLOW  Read        	BUILTIN\Users
(ID-NI) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-IO) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Windows:
Read          	Everyone
Read          	BUILTIN\Users
QWCEN-DS--      BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


 
»»Notepad check.... 

C:\WINNT\
   notepad.exe    Thu Jun 24 2004   9:48:36p  A....         50,960    49.77 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  50,960 bytes     49.77 K

C:\WINNT\SYSTEM32\
   notepad.exe    Tue May  8 2001   8:00:00a  A....         50,960    49.77 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  50,960 bytes     49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
   notepad.exe    Thu Jun 24 2004   9:48:36p  A....         50,960    49.77 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  50,960 bytes     49.77 K
--a-- W32i APP ENU      5.0.2140.1 shp     50,960 06-24-2004 notepad.exe
	Language	0x0409 (English (United States))
	CharSet  0x04b0 Unicode
	OleSelfRegister	Disabled
	CompanyName	Microsoft Corporation
	FileDescription	Notepad
	InternalName	Notepad
	OriginalFilenam	NOTEPAD.EXE
	ProductName	Microsoft(R) Windows (R) 2000 Operating System
	ProductVersion	5.00.2140.1
	FileVersion	5.00.2140.1
	LegalCopyright	Copyright (C) Microsoft Corp. 1981-1999

	VS_FIXEDFILEINFO:
	Signature:	feef04bd
	Struc Ver:	00010000
	FileVer:	00050000:085c0001 (5.0:2140.1)
	ProdVer:	00050000:085c0001 (5.0:2140.1)
	FlagMask:	0000003f
	Flags:  00000000
	OS:  00040004 NT Win32
	FileType:	00000001 App
	SubType:	00000000
	FileDate:	00000000:00000000
 
00001150:                        ?                                       
00001190:                                            /  m 1C@C  2        
000011D0:        0   `                       vk                M DeviceNo
00001210:tSelectedTimeout    1 5     F T     vk       '        s GDIProce
00001250:ssHandleQuota n     vk                X Spooler     y e s    }M 
00001290:    vk                o swapdisk    vk                teTransmis
000012D0:sionRetryTimeout    9 0   F @ X     vk       '          USERProc
00001310:essHandleQuotale    vk                M AppInit_DLLsndleQuotaair
00001350:                                                                
00001390:                                                                
000013D0:                                                                
00001410:                                                                
00001450:                                                                
00001490:                                                                
000014D0:                                                                
00001510:                                                                
00001550:                                                                

---------- WIN.TXT

---------- NEWWIN.TXT
MAppInit_DLLsndleQuotaair°
**File C:\FINDnFIX\NEWWIN.TXT
2      ą’’’š  0  `  ?  °  š     Š’’’vk           

MDeviceNotSelectedTimeoutš’’’1 5     F T Š’’’vk   €'      s GDIProcessHandleQuota 

n ą’’’vk    €      X Spooler š’’’y e s   ˜}Mą’’’vk   €        o 

swapdiskŠ’’’vk    ą      teTransmissionRetryTimeoutš’’’9 0   F@X Š’’’vk   €'  

      USERProcessHandleQuotaleŠ’’’vk    €        MAppInit_DLLsndleQuotaair°   ’’’’ 



                                   ar, Read-only and Hidden set
$
/D+   find Directories only
/D-   files only, no Directories
/D    both files and Directories (default)

/D:[start][,end]   only Dates in range
/D:date!   only one specific date
/D:T       only items dated today

/US   show dates in US format:  Jan 31 1996
/UK   show dates in UK format:  31 Jan 1996
/UJ   show dates in ISO format:  1996-01-31

$
/T    search only current directory and path

/T:[start][,end]   check Time stamps
/T:time!   only one specific time

$
/S     display Summary only, not found items

/S:[small][,big]   only files in Size range
/S:size!   only one specific size

Size may end in K for Kilobytes, or M for Megabytes.

$/B or /O string -- 80 characters max!
$Working buffer overflow!
$Command buffer overflow!
$Illegal switch "#" in LOCATE variable!
$Unable to delete:  DOS error $Directory not empty, or Access denied &C synt
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 4D 01 . 5F 44 4C 4C 73 6E 64 6C  ......M.  _DLLsndl
**File C:\FINDnFIX\NEWWIN.TXT
2      ą’’’š  0  `  ?  °  š     Š’’’vk           

MDeviceNotSelectedTimeoutš’’’1 5     F T Š’’’vk   €'      s GDIProcessHandleQuota 

n ą’’’vk    €      X Spooler š’’’y e s   ˜}Mą’’’vk   €        o 

swapdiskŠ’’’vk    ą      teTransmissionRetryTimeoutš’’’9 0   F@X Š’’’vk   €'  

      USERProcessHandleQuotaleŠ’’’vk    €        MAppInit_DLLsndleQuotaair°   ’’’’


#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 31 August 2004 - 11:06 AM

Due to the time passed ...
  • HijackThis ...
    • Double click on "My Computer" to open it.
    • Double click on the local "C-Drive" to open it.
    • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
    • Please download HijackThis from any of the following locations:
    • spywareinfo.com
    • subratam.org
    • tools.zerosrealm.com
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button