Jump to content


Photo

CWS Searchx infected


  • Please log in to reply
1 reply to this topic

#1 Pablos

Pablos

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 July 2004 - 04:33 PM

Here is my log from FINDnFIX.dll that new tool, from www.freeatlast....

I don't know which is the line, that I must copy in Moveit.bat.

Someone please help me, or if it exist another resolve....

Thx in advance !


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1
The type of the file system is NTFS.
D: is not dirty.

Fri 07/02/2004
11:44pm up 0 days, 0:03

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File D:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

D:\WINDOWS\SYSTEM32\
aliby.dll Thu Jul 1 2004 12:31:28a A.SH. 0 0.00 K
fyrlx.dll Thu Jul 1 2004 12:31:00a A.SH. 0 0.00 K
jdckc.dll Mon Jun 14 2004 3:12:36p A.SH. 67,584 66.00 K
tuegu.dll Sun Jun 20 2004 4:45:22a A.SH. 67,584 66.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 135,168 bytes 132.00 K

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\WINDOWS\SYSTEM32\ALIBY.DLL
Sniffed -> D:\WINDOWS\SYSTEM32\FYRLX.DLL
Sniffed -> D:\WINDOWS\SYSTEM32\JDCKC.DLL
Sniffed -> D:\WINDOWS\SYSTEM32\TUEGU.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access RAZVAN\Razvan
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access RAZVAN\Razvan


»»Member of...: (Admin logon required!)
User is a member of group RAZVAN\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Remote Desktop Users.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

D:\WINDOWS\
notepad.exe Thu Aug 23 2001 7:00:00p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

D:\WINDOWS\SYSTEM32\
notepad.exe Thu Aug 23 2001 7:00:00p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

D:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Thu Aug 23 2001 7:00:00p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "D:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x RAZVAN\Razvan
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: RAZVAN\Razvan

Primary Group: RAZVAN\None



»»»»»»Backups created...»»»»»»
11:44pm up 0 days, 0:03
Fri 07/02/2004

A D:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-02-2004 winback.hiv
A D:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-02-2004 winkey.reg

»»Performing 16bit string scan....
00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' 6 USERProcessHandleQuota2 8
00001310:h
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
USERProcessHandleQuota2

**File D:\FINDnFIX\WIN.TXT


#2 Pablos

Pablos

    Member

  • New Member
  • Pip
  • 3 posts

Posted 03 July 2004 - 05:48 AM

Please......Somebody help me!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button