• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Hikari

"Search For..." malware came back

2 posts in this topic

Hi guys, unhappily it apeared again :(

I ran the programs again, but I think it´s not gone yet.

Could you please check the logs and see if it´s still in any place?

 

 

tnx a lot :D

 

Logfile of HijackThis v1.97.7

Scan saved at 17:34:59, on 13/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\Arquivos de programas\SpywareGuard\sgmain.exe

C:\Arquivos de programas\SpywareGuard\sgbhp.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\Arquivos de programas\FoldingHome\srvany.exe

C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\GhostStartService.exe

C:\Arquivos de programas\FoldingHome\FAH4Console.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

C:\Arquivos de programas\FoldingHome\FahCore_78.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

F:\programas\spy\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Arquivos de programas\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}

O4 - HKCU\..\Run: [spyKiller] C:\Arquivos de programas\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [spySweeper] C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: ICQ NetDetect Agent.lnk = C:\Arquivos de programas\ICQ\NDetect.exe

O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm

O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm

O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gulbenkian.pt/template/fonts/clearadj.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140

O17 - HKLM\System\CS1\Services\Tcpip\..\{15B7EAE0-2067-427D-A8AB-17E15CC52FC7}: NameServer = 200.165.132.147 200.149.55.140

 

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [versÆo 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1

O tipo do sistema de arquivos ‚ NTFS.

C: nÆo est  sujo.

 

ter 13/07/2004

  5:33pm  up 0 days,  0:03

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

*For *Helpers/Mods and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/12)»»»»»»»»»»»»»»»»

 

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\KBDCE.DLL +++ File read error

\\?\C:\WINDOWS\System32\KBDCE.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

KBDCE.DLL    Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

  kbdce.dll      Sat 12 Jun 2004  22:53:26  A...R        57.344    56,00 K

 

1 item found:  1 file, 0 directories.

  Total of file sizes:  57.344 bytes    56,00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\KBDCE.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... KBDCE.DLL    .....57344  12.06.2004 

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

  kbdce.dll      Sat 12 Jun 2004  22:53:26  A...R        57.344    56,00 K

 

1 item found:  1 file, 0 directories.

  Total of file sizes:  57.344 bytes    56,00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\KBDCE.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

    DeviceNotSelectedTimeout = 15

    GDIProcessHandleQuota = REG_DWORD 0x00002710

    Spooler = yes

    swapdisk =

    TransmissionRetryTimeout = 90

    USERProcessHandleQuota = REG_DWORD 0x00002710

 

  »»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI)    ALLOW  Read        BUILTIN\Usu rios

(IO)    ALLOW  Read        BUILTIN\Usu rios

(NI)    ALLOW  Read        BUILTIN\Usu rios avan‡ados

(IO)    ALLOW  Read        BUILTIN\Usu rios avan‡ados

(NI)    ALLOW  Full access  BUILTIN\Administradores

(IO)    ALLOW  Full access  BUILTIN\Administradores

(NI)    ALLOW  Full access  AUTORIDADE NT\SYSTEM

(IO)    ALLOW  Full access  AUTORIDADE NT\SYSTEM

(NI)    ALLOW  Full access  BUILTIN\Administradores

(IO)    ALLOW  Full access  PROPRIETµRIO CRIADOR

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read          BUILTIN\Usu rios

Read          BUILTIN\Usu rios avan‡ados

Full access    BUILTIN\Administradores

Full access    AUTORIDADE NT\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group ZFU86AA13LWWMYN\Nenhum.

User is a member of group \Todos.

User is a member of group BUILTIN\Administradores.

User is a member of group BUILTIN\Usuários.

User is a member of group \LOCAL.

User is a member of group AUTORIDADE NT\INTERATIVO.

User is a member of group AUTORIDADE NT\Usuários autenticados.

 

 

»»»»»»Backups created...»»»»»»

  5:34pm  up 0 days,  0:04

ter 13/07/2004

 

A          C:\FINDnFIX\keyback.hiv

--a--    -  -  -              -  -      8,192 07-13-2004 keyback.hiv

A          C:\FINDnFIX\keys1\winkey.reg

--a--    -  -  -              -  -        287 07-13-2004 winkey.reg

 

C:\FINDNFIX\

  JUNKXXX        Tue 13 Jul 2004  17:33:16  .D...        <Dir>

 

1 item found:  0 files, 1 directory.

 

»»Performing string scan....

00001150:                                ?                             

00001190:                                            vk                f

000011D0:AppInit_DLLs  G            vk                UDeviceNotSelecte

00001210:dTimeout    1 5    _      9 0            vk      '        z

00001250:GDIProcessHandleQuota"      vk                  Spooler2    y e

00001290:s    P            8  h          vk                =pswapdisk

000012D0:    vk      (        R TransmissionRetryTimeout            8 

00001310:h                  vk      '          USERProcessHandleQuota 

00001350:                              U                               

00001390:            4  *R                        ,                  *

000013D0:R                        ,                  *R          -  S 

00001410:              6                  )      K                     

00001450:      (    "                                            *     

00001490:    -  8          3  S  3  S  <            3  S  +  0  ==)

000014D0:      d                        (          "    n           

00001510:3                                        3  *        ]a h-   

00001550:              *R          -                                K 

00001590:                          (    "          J                   

000015D0:      3      <==      7                                       

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

No strings found.

 

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0