• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Angelus

Need help with Search for.. 'about:blank'

10 posts in this topic

Hi,

 

Please I need help with the Search for..about:blank' malware that hijacked my browser. I've already tried the AboutBuster that was indicated in the pinned thread but it didn't work. Here's my HijackThis logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 20:56:07, on 17/7/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\svchost.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Guilherme Serpa\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GUILHE~1\CONFIG~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GUILHE~1\CONFIG~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cashsearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GUILHE~1\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GUILHE~1\CONFIG~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GUILHE~1\CONFIG~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GUILHE~1\CONFIG~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://cashsearch.biz/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {B4B3D2A0-2D73-475C-B548-5430EDC081F8} - C:\WINDOWS\System32\bin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{82B34639-8430-4FDA-B72B-1008DB96ABF7}: NameServer = 192.168.254.254

 

 

Notice that it still lists the cashsearch.biz malware that infested my cpu a couple of months ago, but I already got it neutralized thanks to following the tips that I had read in a previous thread. I don't have any problems with cashsearch.biz at this point.

Share this post


Link to post
Share on other sites

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

 

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

Hello Daemon,

 

 

When I try to extract the file into the FindFix folder it's giving me the message "An error prevents this program from continuing: Could not read SFX info. It's likely corrupt."

 

What must I do now?

Share this post


Link to post
Share on other sites

Done it, Daemon. Here's all the content of the logfile:

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [versÆo 5.1.2600]

»»»IE build and last SP(s)

6.0.2600.0000

O tipo do sistema de arquivos ‚ NTFS.

C: nÆo est  sujo.

 

Sun 18 Jul 04 20:49:52

8:49pm up 0 days, 12:06

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

*For *Helpers/Mods and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/16)»»»»»»»»»»»»»»»»

 

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\SQLP.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLP.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

SQLP.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

sqlp.dll Tue 13 Jul 2004 21:09:10 A...R 57.344 56,00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57.344 bytes 56,00 K

 

unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

ln32k.dll Sun 20 Jun 2004 8:04:26 A..H. 17 0,02 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 17 bytes 0,02 K

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\LN32K.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\SQLP.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... SQLP.DLL .....57344 13.07.2004

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\SQLP.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

sqlp.dll Tue 13 Jul 2004 21:09:10 A...R 57.344 56,00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57.344 bytes 56,00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\SQLP.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Usu rios

(ID-IO) ALLOW Read BUILTIN\Usu rios

(ID-NI) ALLOW Full access BUILTIN\Administradores

(ID-IO) ALLOW Full access BUILTIN\Administradores

(ID-NI) ALLOW Full access AUTORIDADE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORIDADE NT\SYSTEM

(ID-IO) ALLOW Full access PROPRIETµRIO CRIADOR

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Usu rios

Full access BUILTIN\Administradores

Full access AUTORIDADE NT\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group GUILHERME\Nenhum.

User is a member of group \Todos.

User is a member of group BUILTIN\Administradores.

User is a member of group BUILTIN\Usuários.

User is a member of group \LOCAL.

User is a member of group AUTORIDADE NT\INTERATIVO.

User is a member of group AUTORIDADE NT\Usuários autenticados.

 

 

»»»»»»Backups created...»»»»»»

8:53pm up 0 days, 12:09

Sun 18 Jul 04 20:53:21

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-18-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-18-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Sun 18 Jul 2004 20:49:44 .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: vk : f AppInit_DLLs G

00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ s q l p . d l l

000011D0: h vk UDeviceNotSelectedTimeout 1 5

00001210: ( W 9 0 h vk ' zGDIProcessHandle

00001250:Quota" vk x Spooler2 y e s h

00001290: ( X vk =pswapdisk vk

000012D0: R TransmissionRetryTimeout h ( X

00001310: vk ' USERProcessHandleQuota

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

--------------

--------------

$01180: AppInit_DLLs

$011EF: UDeviceNotSelectedTimeout

$0123F: zGDIProcessHandleQuota

$012D8: TransmissionRetryTimeout

$01328: USERProcessHandleQuota

--------------

--------------

C:\WINDOWS\System32\sqlp.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "C:\WINDOWS\System32\sqlp.dll"

0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.

0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 73 00 71 00 6c 00 70 00 | m.3.2.\.s.q.l.p.

0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...

 

 

Waiting for your instructions..

Share this post


Link to post
Share on other sites

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the SQLP.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

 

Select C:\Findnfix\junkxxx as destination. Move the file.

 

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

Share this post


Link to post
Share on other sites

Here's the content of the log2.txt file. FYI I'm still with the about:blank hijack problem. Is it normal?

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Mon 19 Jul 04 18:35:56

6:35pm up 0 days, 0:03

 

Microsoft Windows XP [versÆo 5.1.2600]

»»»IE build and last SP(s)

6.0.2600.0000

O tipo do sistema de arquivos ‚ NTFS.

C: nÆo est  sujo.

 

»»»»»»»»»»»»»»»»»»***LOG2!***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or the right file was selected.

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

ln32k.dll Sun 20 Jun 2004 8:04:26 A..H. 17 0,02 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 17 bytes 0,02 K

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\LN32K.DLL

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

* result\\?\C:\FINDnFIX\junkxxx\SQLP.222

 

 

C:\FINDNFIX\JUNKXXX\

sqlp.222 Tue 13 Jul 2004 21:09:10 A.... 57.344 56,00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57.344 bytes 56,00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\SQLP.222

 

**File C:\FINDNFIX\JUNKXXX\SQLP.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- SQLP .222 0000E000 21:09.10 13/07/2004

 

--a-- W32i - - - - 57,344 07-13-2004 sqlp.222

A C:\FINDnFIX\junkxxx\sqlp.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

SQLP.222 57344 07-13-104 21:09 c185b36f9969d3a6d2122ba7cbc02249

File: <C:\FINDnFIX\junkxxx\sqlp.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\sqlp.222 BUILTIN\Administradores:F

AUTORIDADE NT\SYSTEM:F

GUILHERME\Guilherme Serpa:F

BUILTIN\Usuários:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administradores

Allow 00000003 tco- 001F01FF ---- DSPO rw+x AUTORIDADE NT\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x GUILHERME\Guilherme Serpa

Allow 0000000B -co- 10000000 ---A ---- ---- \PROPRIETÁRIO CRIADOR

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Usuários

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Usuários

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Usuários

 

Owner: GUILHERME\Guilherme Serpa

 

Primary Group: GUILHERME\Nenhum

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administradores

Allow 00000003 tco- 001F01FF ---- DSPO rw+x AUTORIDADE NT\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x GUILHERME\Guilherme Serpa

Allow 0000000B -co- 10000000 ---A ---- ---- \PROPRIETÁRIO CRIADOR

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Usuários

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Usuários

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Usuários

 

Owner: GUILHERME\Guilherme Serpa

 

Primary Group: GUILHERME\Nenhum

 

File "C:\FINDnFIX\junkxxx\sqlp.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administradores

Allow 00000010 t--- 001F01FF ---- DSPO rw+x AUTORIDADE NT\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x GUILHERME\Guilherme Serpa

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Usuários

 

Owner: GUILHERME\Guilherme Serpa

 

Primary Group: GUILHERME\Nenhum

 

C:\FINDnFIX\junkxxx\sqlp.222;BUILTIN\Administradores:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlp.222;AUTORIDADE NT\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlp.222;GUILHERME\Guilherme Serpa:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\sqlp.222;BUILTIN\Usu rios:RrRaRepX

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Usu rios

(ID-IO) ALLOW Read BUILTIN\Usu rios

(ID-NI) ALLOW Full access BUILTIN\Administradores

(ID-IO) ALLOW Full access BUILTIN\Administradores

(ID-NI) ALLOW Full access AUTORIDADE NT\SYSTEM

(ID-IO) ALLOW Full access AUTORIDADE NT\SYSTEM

(ID-IO) ALLOW Full access PROPRIETµRIO CRIADOR

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Usu rios

Full access BUILTIN\Administradores

Full access AUTORIDADE NT\SYSTEM

 

 

 

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 ( W h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 h vk Spooler2

00001210: y e s vk =pswapdisk h

00001250: X vk R TransmissionRetryTimeout vk

00001290: ' USERProcessHandleQuota h X

000012D0: vk f AppInit_DLLs G

00001310:

00001350:

00001390: d , l x \

000013D0:y L z < 8 (

00001410:

00001450:

00001490: < < < < < < .

000014D0:

00001510:

00001550:

 

---------- NEWWIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuota

$012F0: AppInit_DLLs

--------------

--------------

C:\FINDnFIX\Files2\xcacls.exe

 

d.... 0 Jul 18 20:49 .

d.... 0 Jul 18 20:49 ..

....a 57344 Jul 13 21:09 sqlp.222

 

3 files found occupying 55296 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

SQLP.222 : crc16=3138 crc32=D5C9FB2E

 

-------- C:\FINDNFIX\JUNKXXX\SQLP.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

57,344 bytes 477,867 cps

Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.12

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-18-:4 20:49|SQLP 222 57344 A 07-13-:4 21:09

.. <dir> 07-18-:4 20:49|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

6288896 bytes available on Drive C: No volume label

Share this post


Link to post
Share on other sites

Yes, we've not quite finished - open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

 

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.

Share this post


Link to post
Share on other sites

Seems to be pretty well now. Thanks Daemon. I know we're in good hands now.

 

Here's the latest HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 00:27:51, on 21/7/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Outlook Express\msimn.exe

C:\Documents and Settings\Guilherme Serpa\Desktop\HijackThis.exe

C:\WINDOWS\svchost.exe

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{82B34639-8430-4FDA-B72B-1008DB96ABF7}: NameServer = 192.168.254.254

Share this post


Link to post
Share on other sites

Well done, that's a clean log. Click here to make sure that you have the latest Critical Update patches for Windows. It's very important to keep your system up to date to avoid unnecessary security risks.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0