Jump to content


Photo

Pesky Hijacker


  • Please log in to reply
7 replies to this topic

#1 rkeith

rkeith

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 July 2004 - 02:00 PM

Logfile of HijackThis v1.97.7
Scan saved at 6:56:44 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\DVKEYB~1\DVMAIN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\DVKEYB~1\MIXER.EXE
C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\avg6698fu_free.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Robin\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Robin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Robin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Robin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Robin\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Robin\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Robin\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EA562D42-2F6A-4B90-9191-E1ADD419FAC0} - C:\WINDOWS\System32\gpbd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [AidemHotKey] C:\PROGRA~1\DVKEYB~1\DVMAIN.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.fca.org/iNotes6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7901.6725694444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 July 2004 - 05:26 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 rkeith

rkeith

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 July 2004 - 11:35 PM

Thanks. To make you aware...I had just followed these instructions Computing.net and deleted that entry in the registry. It is still not there. The about:blank redirect and popups are still on my system.

Here's the log from FindNFix:

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q810847-Q813951-Q330994-Q837009-Q832894-Q831167
The type of the file system is NTFS.
C: is not dirty.

Sun 07/04/2004
0:20am up 0 days, 0:43

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\CTLFN.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLFN.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
CTLFN.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
ctlfn.dll Wed Jun 30 2004 6:26:16p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\CTLFN.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access EDITSTATION\Robin
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access EDITSTATION\Robin


»»Member of...: (Admin logon required!)
User is a member of group EDITSTATION\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Wed Jun 30 2004 6:26:06p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Wed Jun 30 2004 7:10:32p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Wed Jun 30 2004 6:26:06p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-30-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x EDITSTATION\Robin
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000013 tco- 001301BF ---- DS-- rw+x \Everyone

Owner: EDITSTATION\Robin

Primary Group: EDITSTATION\None



»»»»»»Backups created...»»»»»»
0:20am up 0 days, 0:43
Sun 07/04/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-04-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-04-2004 winkey.reg

»»Performing 16bit string scan....
00001150: $ ? @ >F $ ~ :
00001190: @ >F $ ~ : @ >F $ ~ :
000011D0: vk i DeviceNotSelectedTimeout 1 5
00001210: vk ' GDIProcessHandleQuotamis
00001250: 9 0 vk ~ SpoolerU y e s eout
00001290: vk utswapdisk ` vk
000012D0: P ceTransmissionRetryTimeout vk '
00001310:USERProcessHandleQuota: `
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
DeviceNotSelectedTimeout
GDIProcessHandleQuotamis
SpoolerU
utswapdisk
ceTransmissionRetryTimeout
USERProcessHandleQuota:

**File C:\FINDnFIX\WIN.TXT


#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 July 2004 - 04:09 AM

Please don't try fixing anything outside of this post - if you do I won't be responsible for the damage you do to your system.

Open the FINDnFIX folder and then open the keys1 folder. Right-click on the MOVEit.bat file and select 'edit'. That will open the file as an empty text file - copy and paste this line into the blank file:

move %WinDir%\System32\CTLFN.DLL %SystemDrive%\junkxxx\CTLFN.DLL

Save the file and close. The next step will cause a restart. Still in the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.



Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, skip that step and proceed this way instead. In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the CTLFN.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.

Posted Image

#5 rkeith

rkeith

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 11:33 AM

Thanks, here is the log1 file:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Sun 07/04/2004
12:29am up 0 days, 0:05

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q810847-Q813951-Q330994-Q837009-Q832894-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

No matches found.

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»*»»» Scanning for moved file... »»»*»»»
* result\\?\C:\junkxxx\CTLFN.222


C:\JUNKXXX\
ctlfn.222 Wed Jun 30 2004 6:26:16p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\CTLFN.222

**File C:\JUNKXXX\CTLFN.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.

A----- CTLFN .222 0000E000 18:26.16 30/06/2004

move %WinDir%\System32\CTLFN.DLL %SystemDrive%\junkxxx\CTLFN.DLL




--a-- W32i - - - - 57,344 06-30-2004 ctlfn.222
A C:\junkxxx\CTLFN.222
File: <C:\junkxxx\CTLFN.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\junkxxx\CTLFN.222 Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x EDITSTATION\Robin
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000013 tco- 001301BF ---- DS-- rw+x \Everyone

Owner: EDITSTATION\Robin

Primary Group: EDITSTATION\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone
Allow 00000003 tco- 001301BF ---- DS-- rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\CTLFN.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: EDITSTATION\Robin

Primary Group: EDITSTATION\None


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access EDITSTATION\Robin
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access EDITSTATION\Robin



»»Notepad check....

C:\WINDOWS\
notepad.exe Wed Jun 30 2004 6:26:06p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Wed Jun 30 2004 7:10:32p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Wed Jun 30 2004 6:26:06p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-30-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: $ ? @ >F $ ~ :
00001190: @ >F $ ~ : @ >F $ ~ :
000011D0: vk i DeviceNotSelectedTimeout 1 5
00001210: vk ' GDIProcessHandleQuotamis
00001250: 9 0 vk ~ SpoolerU y e s eout
00001290: vk utswapdisk ` vk
000012D0: P ceTransmissionRetryTimeout vk '
00001310:USERProcessHandleQuota: ` H vk
00001350: AppInit_DLLsoute
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT

---------- NEWWIN.TXT
AppInit_DLLsoute?
**File C:\FINDnFIX\NEWWIN.TXT
     !  €  !      #  Ą  #  ?          ?       $ ?    ¼@Å>F®$µ~“:ķ      ¼@Å>F®$µ~“:ķ   ¼@Å>F®$µ~“: Š’’’vk     i DeviceNotSelectedTimeoutš’’’1 5 €  Ų Š’’’vk  €'    GDIProcessHandleQuotamisš’’’9 0  °ŗą’’’vk  €   ~ SpoolerUš’’’y e s eoutą’’’vk  €   utswapdisk Ų  ` ? Č Š’’’vk  P   ceTransmissionRetryTimeoutŠ’’’vk  €'   USERProcessHandleQuota: ą’’’Ų  ` ? Č ų H Ų’’’vk  €   AppInit_DLLsoute? ar, Read-only and Hidden set
$
/D+ find Directories only
/D- files only, no Directories
/D both files and Directories (default)

/D:[start][,end] only Dates in range
/D:date! only one specific date
/D:T only items dated today

/US show dates in US format: Jan 31 1996
/UK show dates in UK format: 31 Jan 1
**File C:\FINDnFIX\NEWWIN.TXT
00001360: 01 00 00 00 01 00 0C 00 . 5F 44 4C 4C 73 6F 75 74 ........ _DLLsout
**File C:\FINDnFIX\NEWWIN.TXT
     !  €  !      #  Ą  #  ?          ?       $ ?    ¼@Å>F®$µ~“:ķ      ¼@Å>F®$µ~“:ķ   ¼@Å>F®$µ~“: Š’’’vk     i DeviceNotSelectedTimeoutš’’’1 5 €  Ų Š’’’vk  €'    GDIProcessHandleQuotamisš’’’9 0  °ŗą’’’vk  €   ~ SpoolerUš’’’y e s eoutą’’’vk  €   utswapdisk Ų  ` ? Č Š’’’vk  P   ceTransmissionRetryTimeoutŠ’’’vk  €'   USERProcessHandleQuota: ą’’’Ų  ` ? Č ų H Ų’’’vk  €   AppInit_DLLsoute?

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 July 2004 - 12:47 PM

Well done :D Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#7 rkeith

rkeith

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 01:26 PM

Thanks. It seems to be fixed. I would like to know what all just happened. Can you explain it in a nutshell? Also, the e-mail was returned to me and the link in your previous post doesn't work. What's up with that?

#8 rkeith

rkeith

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 01:51 PM

In case I didn't make it clear before. Thank you very much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button