Jump to content


Photo

Hijacking Issues


  • Please log in to reply
11 replies to this topic

#1 TomC

TomC

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 July 2004 - 02:57 PM

Ran Spybot & Hi Jack this several times & followed FAQ guidance for various removals. Worked great the first time, but came back as bad as before.
HJT log below; have Start up list if required.

Assistance will be greatly appreciated!!


Logfile of HijackThis v1.97.7
Scan saved at 11:39:27 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\av.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Documents and Settings\TomC\Application Data\ttuh.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\TomC\Local Settings\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\msje\msje32.dll (file missing)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6FF91622-9815-5ECF-D322-67557CA32E3E} - C:\WINDOWS\System32\mxvyeisg.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: (no name) - {DA597E28-453A-4A7B-804F-B6375206688D} - C:\WINDOWS\System32\jpk.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msje\mssearch.dll (file missing)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\sysxw\msiesh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\av.exe /u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TomC\Application Data\ttuh.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\TomC\Application Data\DownloadPlus.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 07 July 2004 - 03:07 PM

TomC , we┤re working in your log

#3 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 07 July 2004 - 05:51 PM

Hello TomC ,Welcome to SWI.
Print out these instructions so you can read them while you clean your system.
Move Hijack This out of the Temp folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.


Download CWShredder install, run and click fix.

Run either of these free online virus scans.Then Download, install and run Tojan Hunter (Trial)
Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder):

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\msje\msje32.dll (file missing)
O2 - BHO: (no name) - {6FF91622-9815-5ECF-D322-67557CA32E3E} - C:\WINDOWS\System32\mxvyeisg.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: (no name) - {DA597E28-453A-4A7B-804F-B6375206688D} - C:\WINDOWS\System32\jpk.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msje\mssearch.dll (file missing)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\sysxw\msiesh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\av.exe /u
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TomC\Application Data\ttuh.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\TomC\Application Data\DownloadPlus.exe


O9 - Extra button: Sidesearch (HKLM)
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab


This is a optional fix but is very close to be a spyware, is a registration reminder that you don┤t need:
O4 - Startup: PowerReg Scheduler V3.exe
this is an optional fix too but I recommend you strongly to fix it:
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

Please reboot into safe mode - How do I boot into "Safe" mode?
Go to Add/Remove Programs in the Control Panel and uninstall
Power Scan
Internet optimizer
if listed.

Delete the folders:

C:\Program Files\Internet Optimizer
C:\Program Files\Power Scan
C:\Program Files\Lycos
C:\WINDOWS\msje
C:\WINDOWS\sysxw

Delete the files:

C:\av.exe
C:\WINDOWS\image.dll
C:\WINDOWS\System32\inetdctr.dll
C:\WINDOWS\System32\mxvyeisg.dll
C:\WINDOWS\System32\msmk.dll
C:\WINDOWS\System32\jpk.dll
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\idctup20.exe
C:\Documents and Settings\TomC\Application Data\ttuh.exe
C:\Documents and Settings\TomC\Application Data\DownloadPlus.exe

You may need to show hidden files to delete them.How to show all hidden and system files

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.



This is important
I need you to set your computer clock ahead a day or two and reboot...

enable system restore and post a new Hijack this log please.
You can set the clock back to normal after the test...

Edited by mmxx66, 07 July 2004 - 06:37 PM.


#4 TomC

TomC

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 July 2004 - 08:43 AM

Hello TomC ,Welcome to SWI.
Print out these instructions so you can read them while you clean your system.
Move Hijack This out of the Temp folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.


Download CWShredder install, run and click fix.

Run either of these free online virus scans.

Then Download, install and run Tojan Hunter (Trial)
Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder):

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\msje\msje32.dll (file missing)
O2 - BHO: (no name) - {6FF91622-9815-5ECF-D322-67557CA32E3E} - C:\WINDOWS\System32\mxvyeisg.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: (no name) - {DA597E28-453A-4A7B-804F-B6375206688D} - C:\WINDOWS\System32\jpk.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msje\mssearch.dll (file missing)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\sysxw\msiesh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\av.exe /u
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TomC\Application Data\ttuh.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\TomC\Application Data\DownloadPlus.exe


O9 - Extra button: Sidesearch (HKLM)
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab


This is a optional fix but is very close to be a spyware, is a registration reminder that you don┤t need:
O4 - Startup: PowerReg Scheduler V3.exe
this is an optional fix too but I recommend you strongly to fix it:
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

Please reboot into safe mode - How do I boot into "Safe" mode?
Go to Add/Remove Programs in the Control Panel and uninstall
Power Scan
Internet optimizer
if listed.

Delete the folders:

C:\Program Files\Internet Optimizer
C:\Program Files\Power Scan
C:\Program Files\Lycos
C:\WINDOWS\msje
C:\WINDOWS\sysxw

Delete the files:

C:\av.exe
C:\WINDOWS\image.dll
C:\WINDOWS\System32\inetdctr.dll
C:\WINDOWS\System32\mxvyeisg.dll
C:\WINDOWS\System32\msmk.dll
C:\WINDOWS\System32\jpk.dll
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\idctup20.exe
C:\Documents and Settings\TomC\Application Data\ttuh.exe
C:\Documents and Settings\TomC\Application Data\DownloadPlus.exe

You may need to show hidden files to delete them.How to show all hidden and system files

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.



This is important
I need you to set your computer clock ahead a day or two and reboot...

enable system restore and post a new Hijack this log please.
You can set the clock back to normal after the test...

Thanks! Will try to get all recommendations completed tonight & reply asap.

#5 TomC

TomC

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 09 July 2004 - 10:17 AM

Hello,
Followed all the instructions except:
1. Inadvertantly skipped the step to run TrendMicro or Pandasoftware, and
2. A few of the files listed in the "Delete the files" section weren't there to delete; did have all hidden files shown.

Results: Awesome! Everything running much faster and cleaner, able to access all websites, no pop-ups or new start pages, etc. On the downside, left the cable modem plugged in overnight & tried again this morning and had the home page hijacking issue again & pop-ups, but still able to reach all websites, including spywareinfo.

Question: After get this machine cleaned, plan to switch to Mozilla, replace just-expired McAffee viris s/w with Symantec bundle got on sale & install a firewall. Also, plan to buy some gear to support this site. First time I've used anthing like this and am amazed at the help being provided. Any advice on this plan?

Thanks!

Latest HJT report below:



Logfile of HijackThis v1.97.7
Scan saved at 8:38:53 AM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\rxhneu.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TomC\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TomC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TomC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TomC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TomC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TomC\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TomC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33F84227-C146-5ECD-D224-67557CA32968} - C:\WINDOWS\System32\nwnihzc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {DE61D988-34F0-4125-9BEC-0633B10FB354} - C:\WINDOWS\System32\kafff.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Vlfe] C:\WINDOWS\System32\rxhneu.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 10 July 2004 - 12:44 PM

I use Mozilla Firefox, it┤s very good. Very good the steps you┤re going to follow, Agree with the firewall and the Simantec stuff.

Your log still needs serious attention. Wait a moment

Did you make the computer clock test?

Edited by mmxx66, 10 July 2004 - 01:39 PM.


#7 TomC

TomC

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 July 2004 - 02:28 PM

Yes, set the clock a few days ahead before rebooting; haven't set it back yet.

#8 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 10 July 2004 - 02:44 PM

Click here to download FindnFix.exe by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Sorry, but you should set the time back before running FindnFix.

Edited by mmxx66, 10 July 2004 - 04:06 PM.


#9 TomC

TomC

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 09:54 AM

Set the time back and ran FindNfix; log below:

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Read this first! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Due to errors on various message boards I made some changes.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
If you make a mistake or use the wrong guidance, it is completely
your responsibility and the helper that assists you.
If you are not sure about the nature of the file or how
to proceed, I suggest you research it first before attempting
to remove any *unknown file on your own.
*For Helpers and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894
The type of the file system is NTFS.
C: is not dirty.

Sat 07/10/2004
11:51pm up 1 day, 23:32

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*modified 7/8)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\D3DEEMF.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DEEMF.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
D3DEEMF.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
d3deemf.dll Tue May 4 2004 11:14:02p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\D3DEEMF.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... D3DEEMF.DLL .....57344 04.05.2004

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
d3deemf.dll Tue May 4 2004 11:14:02p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\D3DEEMF.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group COMPUTER1\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗ Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


╗╗Notepad check....

C:\WINDOWS\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
11:52pm up 1 day, 23:33
Sat 07/10/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-10-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-10-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Sat Jul 10 2004 11:51:48p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: 0 vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk @ - AppInit_DLLso a C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ d 3 d e e m f . d l l S
00001350:`{f E P/} 4 K0 U 0 0 * H
00001390: _9)( 4 lOo d pJO `( I } =6 Q 1* w .l ? M
000013D0: j*-x o+ D P L$ Z G^I 7 : ) G : <w Fc S !
00001410: ~I K gY/ , B|5  1:NcC9 a4 C4 ); VX w >
00001450:TE 1e kX q R 2 @` y$ l f DO. { k,v F x
00001490: HU vk T o ThreadingModelm B o t h
000014D0: nk C @ V T b
00001510: \ 1 0 & {C1C0FE00-F3C2-11D0-91D4-444553540000} C vk
00001550:\ `U wt I n d e o v i d e o 5 . 1 0 A b o u
00001590:t E n c o d e r P r o p e r t y P a g e nk C
000015D0: T V b

---------- WIN.TXT
AppInit_DLLso
--------------
--------------
C:\WINDOWS\System32\d3deemf.dll
video 5.10 About Encoder Property Page
ir50_32.dll
Indeo Video ® 5.1 Progressive Download Source
CertPlus Class 3TS Primary CA
ivfsrc.ax
Indeo Video ® 5.1 Progressive Download Source About
ivfsrc.ax
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\d3deemf.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 64 00 33 00 64 00 65 00 | m.3.2.\.d.3.d.e.
0030 65 00 6d 00 66 00 2e 00 64 00 6c 00 6c 00 00 00 | e.m.f...d.l.l...


#10 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 11 July 2004 - 02:09 PM

This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:

1.)
*Get ready to restart your computer.
- Open the FINDnFIX\Keys1\ Subfolder And
DoubleClick on the "FIX.bat" file.
-You will get a prompt preparing for auto-restart in 15 seconds.
-Let it restart!
--------------------------------------------------------------------------
2.)
On restart, Go to Start/Search, and find:
D3DEEMF.DLL (Should be in System32 folder)
-When found, select the "D3DEEMF.DLL" file And use the folder's top menu:
edit>......move to folder>... (From the search results)
Scroll and Select the following path as destination:
-> C:\ -> FINDnFIX... -> Click once to expand, and select the
->...junkxxx Subfolder as final destination, and move
the "D3DEEMF.DLL" into that Subfolder.(C:\FINDnFIX\junkxxx)
(you might get a prompt about 'read-only' file -Simply 'ok' it!)
--------------------------------------------------------------
3.)
When done, Open the C:\FINDnFIX main folder and
Run the -> "RESTORE.bat" file ,
It will run and generate new log (log1.txt)
Post it here.

#11 TomC

TomC

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 04:47 PM

New log below. Any brief comments on what we're doing here would be appreciated!


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Sun 07/11/2004
5:26pm up 0 days, 0:04

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q837009-Q832894
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\D3DEEMF.222


C:\FINDNFIX\JUNKXXX\
d3deemf.222 Tue May 4 2004 11:14:02p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\D3DEEMF.222

**File C:\FINDNFIX\JUNKXXX\D3DEEMF.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- D3DEEMF .222 0000E000 23:14.02 04/05/2004

--a-- W32i - - - - 57,344 05-04-2004 d3deemf.222
A C:\FINDnFIX\junkxxx\d3deemf.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
D3DEEMF.222 57344 05-04-104 23:14 c185b36f9969d3a6d2122ba7cbc02249File: <C:\FINDnFIX\junkxxx\d3deemf.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




╗╗Permissions:
C:\FINDnFIX\junkxxx\d3deemf.222 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
COMPUTER1\TomC:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x COMPUTER1\TomC
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000009 --o- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: COMPUTER1\TomC

Primary Group: COMPUTER1\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x COMPUTER1\TomC
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: COMPUTER1\TomC

Primary Group: COMPUTER1\None

File "C:\FINDnFIX\junkxxx\d3deemf.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x COMPUTER1\TomC
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: COMPUTER1\TomC

Primary Group: COMPUTER1\None


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



╗╗Notepad check....

C:\WINDOWS\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Thu Aug 29 2002 7:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

00001150: 8n vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk y AppInit_DLLs
00001310:
00001350:
00001390:
000013D0:  : [
00001410:hl? hl?
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLs    
--------------
--------------
--------------
No strings found.

#12 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 12 July 2004 - 08:28 AM

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will create a zipped copy of the bad file(s) in the same
folder (named as-- junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to Email!! Thanks!


When done, restart your computer and
Delete and entire 'FINDnFIX' file+Subfolder(s)
From C:\

As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done!

Edited by mmxx66, 12 July 2004 - 08:33 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button