Jump to content


Photo

about:blank SearchFor sp.html variant


  • Please log in to reply
7 replies to this topic

#1 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 July 2004 - 06:20 AM

Hi guys, a friend get this virus and I'm trying to remove it.

First I installed Spybot and Spy Sweeper to run all the time and ad-ware and Symantec online antivirus.

I also tried to install Spyware Blaster and Getright 5.02, but they didn't run, a message saying it could be badblock or virus. Now the same Spyware Blaster I installed worked. :huh:

Here is the initial HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 17:07:18, on 29/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\FoldingHome\srvany.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\FoldingHome\FAH4Console.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Arquivos de programas\FoldingHome\FahCore_78.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Arquivos de programas\mozilla.org\Mozilla\mozilla.exe
D:\HijackThis.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ORQUES~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ORQUES~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ORQUES~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ORQUES~1\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ORQUES~1\CONFIG~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ORQUES~1\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FE1D6DE8-E383-4FB3-B53E-82C030AE3870} - C:\WINDOWS\System32\efccp.dll
O3 - Toolbar: &Rįdio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [MSConfig] D:\msconfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [SpyKiller] C:\Arquivos de programas\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ICQ NetDetect Agent.lnk = C:\Arquivos de programas\ICQ\NDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gu...ts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140



I deleted C:\WINDOWS\System32\efccp.dll, but some hours later the virus was back.

Today I ran these programs: CWShredder, sphjfix, FindnFix and AboutBuster. All the programs was run in Safe Mode. After that, I entered in normal mode, connected to internet, opened IE some times and ran again FindnFix and HijackThis.

Here the logs:



»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)


»»Dumping Values........


  »»Security settings for 'Windows' key:

»»Member of...: (Admin logon required!)

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...


»»Notepad check....

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)


»»»»»»Backups created...»»»»»»
ter 06/07/2004

Arquivo nĘo encontrado  - win*.hiv
Caminho nĘo encontrado - C:\WINDOWS\system32\keys1

»»Performing string scan....
--------------
--------------



Logfile of HijackThis v1.97.7
Scan saved at 16:38:19, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Arquivos de programas\spys\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Rįdio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [SpyKiller] C:\Arquivos de programas\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: ICQ NetDetect Agent.lnk = C:\Arquivos de programas\ICQ\NDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm
O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gu...ts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140



Is there anything I still must do? Or it's already clean? :oops: :gasp:

Tnx for all people that read this big topic, the people who wrote the topics I read and who may help me :deal: :lol: :cool: :D :p

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 July 2004 - 06:29 AM

QUOTE ("FINDnFIX 6/7/2004")

Useless!

Where did you download it from? :scratchhead:
Download again, extract to prefixed path and keep it there.

Your log is empty since the files/tools were moved out of location.
It won't work this way.. It has to stay in it's default path.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 July 2004 - 06:40 AM

hmm ok sorry

I installed/copied it to program files because in C: they would delete it when they would see it.
O didn't know it's obligatory to stay in C:, sorry.


But how is HijackThis log?

I'll go there again in some day of this week. So I rerun FINDnFIX and do anything you say it's necessary.

If FINDnFIX find any file and quarantine it, what I must do with it?


tnx a lot :lol:

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 July 2004 - 06:59 AM

hmm ok sorry

I installed/copied it to program files because in C: they would delete it when they would see it.
O [b]didn't know it's obligatory to stay in C:, sorry.[/n]


But how is HijackThis log?

I'll go there again in some day of this week. So I rerun FINDnFIX and do anything you say it's necessary.

If FINDnFIX find any file and quarantine it, what I must do with it?


tnx a lot :lol:

FINDnFIX produces a log only!
It doesn't quarantine anything!

Looks like you have some *personal issues,
whoever *they are, once you sort them out follow the
directions on the screen in the FINDnFIX , and post the log.

It's not advised that you attempt to do anything yourself.


Your hijackthis log is infected but unless you'd manage to
follow instructions I won't be able to help further... :scratchhead:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 July 2004 - 07:06 AM

Your hijackthis log is infected but unless you'd  manage to
follow instructions I won't be able to help further... :scratchhead:

oh :weep:

Sorry again, I'll go there and use FINDnFIX correct.
Wait some days please :wave:


EDIT: They are newbie and complain even when a window popup asking something. They aren't able to receive orientations by phone and wouldn't know how to send me the log. :ugh: :bangbang:

Edited by Hikari, 07 July 2004 - 07:11 AM.


#6 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 July 2004 - 03:07 PM

Here the current logs :cool:


Logfile of HijackThis v1.97.7
Scan saved at 17:01:09, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\FoldingHome\srvany.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Arquivos de programas\FoldingHome\FAH4Console.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\FoldingHome\FahCore_78.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
F:\programas\spy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Rįdio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [SpyKiller] C:\Arquivos de programas\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: ICQ NetDetect Agent.lnk = C:\Arquivos de programas\ICQ\NDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm
O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gu...ts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140




»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [versĘo 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1
O tipo do sistema de arquivos ‚ NTFS.
C: nĘo est  sujo.

sex 09/07/2004
  4:56pm  up 0 days,  0:02

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\KBDCE.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBDCE.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
KBDCE.DLL    Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
  kbdce.dll      Sat 12 Jun 2004  22:53:26  A...R        57.344    56,00 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  57.344 bytes    56,00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDCE.DLL


»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
Æ Access denied ® ..................... KBDCE.DLL    .....57344  12.06.2004 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

  »»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read        BUILTIN\Usu rios
(IO)    ALLOW  Read        BUILTIN\Usu rios
(NI)    ALLOW  Read        BUILTIN\Usu rios avan‡ados
(IO)    ALLOW  Read        BUILTIN\Usu rios avan‡ados
(NI)    ALLOW  Full access  BUILTIN\Administradores
(IO)    ALLOW  Full access  BUILTIN\Administradores
(NI)    ALLOW  Full access  AUTORIDADE NT\SYSTEM
(IO)    ALLOW  Full access  AUTORIDADE NT\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administradores
(IO)    ALLOW  Full access  PROPRIETµRIO CRIADOR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read          BUILTIN\Usu rios
Read          BUILTIN\Usu rios avan‡ados
Full access    BUILTIN\Administradores
Full access    AUTORIDADE NT\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group ZFU86AA13LWWMYN\Nenhum.
User is a member of group \Todos.
User is a member of group BUILTIN\Administradores.
User is a member of group BUILTIN\Usuįrios.
User is a member of group \LOCAL.
User is a member of group AUTORIDADE NT\INTERATIVO.
User is a member of group AUTORIDADE NT\Usuįrios autenticados.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

O servi‡o especificado nĘo existe como servi‡o instalado.

[SC] GetServiceDisplayName FAILED 1060:

O servi‡o especificado nĘo existe como servi‡o instalado.


»»Notepad check....

C:\WINDOWS\
  notepad.exe    Sun 28 Oct 2001  15:07:10  A....        67.072    65,50 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  67.072 bytes    65,50 K

C:\WINDOWS\SYSTEM32\
  notepad.exe    Sun 28 Oct 2001  15:07:10  A....        67.072    65,50 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  67.072 bytes    65,50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
  notepad.exe    Sun 28 Oct 2001  15:07:10  A....        67.072    65,50 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  67.072 bytes    65,50 K
--a-- W32i APP PTB      5.1.2600.0 shp    67,072 10-28-2001 notepad.exe
Language 0x0416 (Portuguźs (Brasil))
CharSet  0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Bloco de notas
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Sistema operacional Microsoft® Windows®
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. Todos os direitos reservados.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags:  00000000
OS:  00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
    Permissions:
        Type    Flags    Inh. Mask    Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow  00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administradores
        Allow  00000003 tco- 001F01FF ---- DSPO rw+x AUTORIDADE NT\SYSTEM
        Allow  00000000 t--- 001F01FF ---- DSPO rw+x ZFU86AA13LWWMYN\Orquestra de Cāmara
        Allow  0000000B -co- 10000000 ---A ---- ---- \PROPRIETĮRIO CRIADOR
        Allow  00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Usuįrios
        Allow  00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Usuįrios
        Allow  00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Usuįrios

    Owner: ZFU86AA13LWWMYN\Orquestra de Cāmara

    Primary Group: ZFU86AA13LWWMYN\Nenhum



»»»»»»Backups created...»»»»»»
  4:57pm  up 0 days,  0:03
sex 09/07/2004

A          C:\FINDnFIX\winBack.hiv
--a--    -  -  -              -  -      8,192 07-09-2004 winback.hiv
A          C:\FINDnFIX\keys1\winkey.reg
--a--    -  -  -              -  -        287 07-09-2004 winkey.reg

»»Performing string scan....
00001150:                                ?                             
00001190:                                            vk                f
000011D0:AppInit_DLLs  G            vk                UDeviceNotSelecte
00001210:dTimeout    1 5    _      9 0            vk      '        z
00001250:GDIProcessHandleQuota"      vk                  Spooler2    y e
00001290:s    P            8  h          vk                =pswapdisk
000012D0:    vk      (        R TransmissionRetryTimeout            8 
00001310:h                  vk      '          USERProcessHandleQuota 
00001350:                                                               
00001390:                                                               
000013D0:                                                               
00001410:                                                               
00001450:                                                               
00001490:                                                               
000014D0:                                                               
00001510:                                                               
00001550:                                                               

---------- WIN.TXT
fłAppInit_DLLsÖ?ęG
--------------
--------------
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


**File C:\FINDnFIX\WIN.TXT
                            ’’’’Ų’’’vk    €       fłAppInit_DLLsÖ?ęG  ø  Š’’’vk        ĄUDeviceNotSelectedTimeoutš’’’1 5   _£ūóš’’’9 0     Š’’’vk   €'     zGDIProcessHandleQuota"žą’’’vk   ˆ     °ŗSpooler2š’’’y e s    P‹  ø  č  8  h  °  ą’’’vk   €       =pswapdiskŠ’’’vk   (     RæTransmissionRetryTimeoutą’’’ø  č  8  h  °  Š    Š’’’vk   €'     ʋUSERProcessHandleQuota č°  ’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’



Is it correct now? :wtf:

#7 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 July 2004 - 07:00 PM

Please help anyone. Is it clean now?? :techsupport:

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 July 2004 - 07:19 PM

The package has been updated since you last posted...
Delete entire FINDnFIX folder(s) from C:\
Download again and post the log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button