Jump to content


Photo

"Search For..." malware came back


  • Please log in to reply
1 reply to this topic

#1 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 July 2004 - 03:37 PM

Hi guys, unhappily it apeared again :(
I ran the programs again, but I think it´s not gone yet.
Could you please check the logs and see if it´s still in any place?


tnx a lot :D

Logfile of HijackThis v1.97.7
Scan saved at 17:34:59, on 13/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe
C:\Arquivos de programas\SpywareGuard\sgmain.exe
C:\Arquivos de programas\SpywareGuard\sgbhp.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\FoldingHome\srvany.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Arquivos de programas\FoldingHome\FAH4Console.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Arquivos de programas\FoldingHome\FahCore_78.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\programas\spy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [SpyKiller] C:\Arquivos de programas\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: ICQ NetDetect Agent.lnk = C:\Arquivos de programas\ICQ\NDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm
O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gu...ts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140




»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [versÆo 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1
O tipo do sistema de arquivos ‚ NTFS.
C: nÆo est  sujo.

ter 13/07/2004
  5:33pm  up 0 days,  0:03

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/12)»»»»»»»»»»»»»»»»

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\KBDCE.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBDCE.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
KBDCE.DLL    Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
  kbdce.dll      Sat 12 Jun 2004  22:53:26  A...R        57.344    56,00 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  57.344 bytes    56,00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDCE.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... KBDCE.DLL    .....57344  12.06.2004 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINDOWS\SYSTEM32\
  kbdce.dll      Sat 12 Jun 2004  22:53:26  A...R        57.344    56,00 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  57.344 bytes    56,00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDCE.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

  »»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read        BUILTIN\Usu rios
(IO)    ALLOW  Read        BUILTIN\Usu rios
(NI)    ALLOW  Read        BUILTIN\Usu rios avan‡ados
(IO)    ALLOW  Read        BUILTIN\Usu rios avan‡ados
(NI)    ALLOW  Full access  BUILTIN\Administradores
(IO)    ALLOW  Full access  BUILTIN\Administradores
(NI)    ALLOW  Full access  AUTORIDADE NT\SYSTEM
(IO)    ALLOW  Full access  AUTORIDADE NT\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administradores
(IO)    ALLOW  Full access  PROPRIETµRIO CRIADOR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read          BUILTIN\Usu rios
Read          BUILTIN\Usu rios avan‡ados
Full access    BUILTIN\Administradores
Full access    AUTORIDADE NT\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group ZFU86AA13LWWMYN\Nenhum.
User is a member of group \Todos.
User is a member of group BUILTIN\Administradores.
User is a member of group BUILTIN\Usuários.
User is a member of group \LOCAL.
User is a member of group AUTORIDADE NT\INTERATIVO.
User is a member of group AUTORIDADE NT\Usuários autenticados.


»»»»»»Backups created...»»»»»»
  5:34pm  up 0 days,  0:04
ter 13/07/2004

A          C:\FINDnFIX\keyback.hiv
--a--    -  -  -              -  -      8,192 07-13-2004 keyback.hiv
A          C:\FINDnFIX\keys1\winkey.reg
--a--    -  -  -              -  -        287 07-13-2004 winkey.reg

C:\FINDNFIX\
  JUNKXXX        Tue 13 Jul 2004  17:33:16  .D...        <Dir>

1 item found:  0 files, 1 directory.

»»Performing string scan....
00001150:                                ?                             
00001190:                                            vk                f
000011D0:AppInit_DLLs  G            vk                UDeviceNotSelecte
00001210:dTimeout    1 5    _      9 0            vk      '        z
00001250:GDIProcessHandleQuota"      vk                  Spooler2    y e
00001290:s    P            8  h          vk                =pswapdisk
000012D0:    vk      (        R TransmissionRetryTimeout            8 
00001310:h                  vk      '          USERProcessHandleQuota 
00001350:                              U                               
00001390:            4  *R                        ,                  *
000013D0:R                        ,                  *R          -  S 
00001410:              6                  )      K                     
00001450:      (    "                                            *     
00001490:    -  8          3  S  3  S  <            3  S  +  0  ==)
000014D0:      d                        (          "    n           
00001510:3                                        3  *        ]a h-   
00001550:              *R          -                                K 
00001590:                          (    "          J                   
000015D0:      3      <==      7                                       

---------- WIN.TXT
fùAppInit_DLLsÖ?æG
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710



#2 Hikari

Hikari

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 July 2004 - 09:22 AM

plz help anyone :wave: :whistle:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button