• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rp535

Hijack this log help

33 posts in this topic

Logfile of HijackThis v1.97.7

Scan saved at 10:42:30 AM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Evidence Eliminator\ee.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\System32\hpoipm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WinZip\winzip32.exe

C:\unzipped\hijackthis1977[1]\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r5.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {8764CA45-2269-4396-A4CC-F150F6956858} - C:\WINDOWS\System32\iechpga.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [W0lxD.exe] c:\documents and settings\user\local settings\temp\W0lxD.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

O4 - HKLM\..\Run: [spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe

O4 - HKCU\..\Run: [msdbrptr949i.exe] C:\WINDOWS\System32\msdbrptr949i.exe

O4 - HKCU\..\Run: [usrr] C:\Documents and Settings\User\Application Data\rncr.exe

O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe" -STARTUP

O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" -STARTUP

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE

O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/142dcd43068581a07205/netzip/RdxIE2.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7584.8022916667

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Share this post


Link to post
Share on other sites

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

 

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

 

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done.

 

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

Daemon,

I tried FindnFix as you suggested but it says it cannot find Notepad.exe and requests executable file to use instead. Help!

Share this post


Link to post
Share on other sites

Sorry about that - I've split his posts out of your thread. Click here to download xphidden.zip (so you can see hidden files and folders). Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

 

Then using Explorer, navigate to C:\Windows\System32\dllcache

 

You should see a version of notepad.exe in there, 65KB in size. Copy it to both these places:

 

C:\Windows\

C:\Windows\System32\

 

Then try again.

Share this post


Link to post
Share on other sites

Hey Daemon, it worked, thanks!

heres the log.

 

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Tue 20 Jul 04 09:37:18

9:37am up 0 days, 18:34

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

*For *Helpers/Mods and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/20)»»»»»»»»»»»»»»»»

 

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\HLP.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

HLP.DLL Can't Open!

HLPLNJ.DLL Can't Open!

IMAGEHLP.DLL Can't Open!

IPNATHLP.DLL Can't Open!

RASADHLP.DLL Can't Open!

WDMNDLL.DLL Can't Open!

XOLEHLP.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

hlp.dll Thu Jul 1 2004 11:46:56a A...R 57,344 56.00 K

hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K

wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

 

11 items found: 11 files (8 H/S), 0 directories.

Total of file sizes: 2,706,240 bytes 2.58 M

 

unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

 

8 items found: 8 files, 0 directories.

Total of file sizes: 2,534,208 bytes 2.41 M

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... HLP.DLL .....57344 01.07.2004

¯ Access denied ® ..................... HLPLNJ.DLL .....57344 28.06.2004

¯ Access denied ® ..................... IMAGEHLP.DLL ....126976 29.08.2002

¯ Access denied ® ..................... IPNATHLP.DLL ....439808 29.03.2004

¯ Access denied ® ..................... RASADHLP.DLL ......6144 18.08.2001

¯ Access denied ® ..................... WDMNDLL.DLL .....57344 25.06.2004

¯ Access denied ® ..................... XOLEHLP.DLL ......9728 18.08.2001

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\HLP.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\HLPLNJ.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\IPNATHLP.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\RASADHLP.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\XOLEHLP.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

hlp.dll Thu Jul 1 2004 11:46:56a A...R 57,344 56.00 K

hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K

wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

 

3 items found: 3 files, 0 directories.

Total of file sizes: 172,032 bytes 168.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group YOUR-6KR4ZXLD90\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

9:39am up 0 days, 18:36

Tue 20 Jul 04 09:39:26

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-18-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-18-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Sun Jul 18 2004 4:27:40p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: vk 8 f AppInit_DLLs G

00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ h l p . d l l 5 7

000011D0:6 u . d l l l m p h vk UDeviceNo

00001210:tSelectedTimeout 1 5 P 9 0 vk '

00001250: zGDIProcessHandleQuota" vk Spooler2

00001290: y e s _ h @ p vk 5

000012D0:swapdisk vk 0 . TransmissionRetryTimeout h

00001310: @ p ( vk ' , USERProcessHandl

00001350:eQuota,

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG¨ÿÿÿC

--------------

--------------

$01180: AppInit_DLLs

$01207: UDeviceNotSelectedTimeout

$01257: zGDIProcessHandleQuota

$012F0: TransmissionRetryTimeout

$01340: USERProcessHandleQuota

--------------

--------------

C:\WINDOWS\System32\hlp.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "C:\WINDOWS\System32\hlp.dll"

0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.

0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 68 00 6c 00 70 00 2e 00 | m.3.2.\.h.l.p...

0030 64 00 6c 00 6c 00 00 00 | d.l.l...

Share this post


Link to post
Share on other sites

Hmmm... there's quite a bit going on here.

 

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the HLP.DLL

file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

 

Select C:\Findnfix\junkxxx as destination. Move the file.

 

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

 

Also, click here to download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

Share this post


Link to post
Share on other sites

Daemon, here is the log2.txt log

 

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Tue 20 Jul 04 16:53:13

4:53pm up 0 days, 0:20

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or the right file was selected.

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINDOWS\System32\HLPLNJ.DLL +++ File read error

C:\WINDOWS\System32\HLPLNJ.DLL +++ File read error

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

HLPLNJ.DLL Can't Open!

WDMNDLL.DLL Can't Open!

 

»»»»»»» (3) »»»»»»»

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K

wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

 

10 items found: 10 files (8 H/S), 0 directories.

Total of file sizes: 2,648,896 bytes 2.52 M

Unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

 

8 items found: 8 files, 0 directories.

Total of file sizes: 2,534,208 bytes 2.41 M

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... HLPLNJ.DLL .....57344 28.06.2004

¯ Access denied ® ..................... WDMNDLL.DLL .....57344 25.06.2004

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\HLPLNJ.DLL

fgrep: can't open input C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

 

»»»»»»» Search by size...

 

 

C:\WINDOWS\SYSTEM32\

hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K

wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 114,688 bytes 112.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

* result\\?\C:\FINDnFIX\junkxxx\HLP.222

 

 

C:\FINDNFIX\JUNKXXX\

hlp.222 Thu Jul 1 2004 11:46:56a A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\HLP.222

 

**File C:\FINDNFIX\JUNKXXX\HLP.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- HLP .222 0000E000 11:46.56 01/07/2004

 

--a-- W32i - - - - 57,344 07-01-2004 hlp.222

A C:\FINDnFIX\junkxxx\hlp.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

HLP.222 57344 07-01-104 11:46 c185b36f9969d3a6d2122ba7cbc02249

File: <C:\FINDnFIX\junkxxx\hlp.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\hlp.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

YOUR-6KR4ZXLD90\User:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

File "C:\FINDnFIX\junkxxx\hlp.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

C:\FINDnFIX\junkxxx\hlp.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Users:RrRaRepX

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: r o vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' , USERProcessHandleQuota, h X

000012D0: vk f AppInit_DLLs G )2q2v2|2 2 2

00001310: 3r3 3 3 3 3 3 3 4 4 4%4*494?4N4V4\4b4 4 4 4 4 4 4 4 4 4 4 4 4 5

00001350: 5s5{5 5 5 5 6 6 6 6 6 6 6 7?7P7]7p7 7 7 7 7&8H8P8X8 8 8 8 8+9>9

00001390:L9 9/:V: : : : : : : ; ; ; ; < < < =C=[= =N>b> > > > > > > ? ? ?

000013D0: ? ? 0 1#1 1 1 1 1 1 2-2r2 2 2 3)3Z3t3 3 3 324 4 4 4 405G5

00001410: 5 5 5^6 6B7U7 7!8>8Y8s8 829A9N9\9r9m: :E;\;s< < = = = > > ?O? ?

00001450: ? ? @ H 050F0o0 0 0 0 0 0 0 0 0 0 1 1 1$171<1Q1V1k1p1 1 1 1

00001490: 1 1 1 1 1 1 1 1 2 2 272E2L2_2x2 2 2 2 2 2 2 2 3 3 3 3"3(31383>3

000014D0:G3Z3m3s3}3 3 3 3 3 3 4 4 4#42494D4M4Y4r4 4 4 4 4 4 4 4 4 4 4 4 4

00001510: 5 5 5 5$505=5C5J5S5Y5z5 5 5 6P6V6_6d6i6 6 6 6 6 6 6 6 6 6!7 7*8

00001550:8

 

---------- NEWWIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuota

$012F0: AppInit_DLLs

$0169A: d0h0l0p0t0x0

--------------

--------------

No strings found.

 

 

d.... 0 Jul 18 16:27 .

d.... 0 Jul 18 16:27 ..

....a 57344 Jul 1 11:46 hlp.222

 

3 files found occupying 55296 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

HLP.222 : crc16=3138 crc32=D5C9FB2E

 

-------- C:\FINDNFIX\JUNKXXX\HLP.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

57,344 bytes 477,867 cps

Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.12

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-18-:4 16:27|HLP 222 57344 A 07-01-:4 11:46

.. <dir> 07-18-:4 16:27|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

17299968 bytes available on Drive C: No volume label

Share this post


Link to post
Share on other sites

Here is the betterinternet log.

Thank you!

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINDOWS\System32\6do4svc.dll

C:\WINDOWS\System32\6jo4svc.dll

C:\WINDOWS\System32\6vo4svc.dll

C:\WINDOWS\System32\6xo4svc.dll

C:\WINDOWS\System32\abaamon.dll

C:\WINDOWS\System32\alledit.dll

C:\WINDOWS\System32\aqsc32.dll

C:\WINDOWS\System32\arctres.dll

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Share this post


Link to post
Share on other sites

You have L2M which we can deal with later. I just need to confer on the two other 57344 byte files. I'll get back to you.

Share this post


Link to post
Share on other sites

As Daemon is not around yet, but alerted me here, please

delete your current VX2finder.exe and re-download the latest

version for your variants:

 

http://www.downloads.subratam.org/VX2Finder(126).exe

 

Scan, click on the save log, and save it somewhere.

 

Next, Restart your computer in

safe mode and try to locate the following files:

In -C:\WINDOWS\SYSTEM32\

HLPLNJ.DLL

WDMNDLL.DLL

And move both the same way into the-

C:\FINDnFIX\junkxxx< Subfolder!

 

(*Note:

If you get 'access deny' type prompt, RightClick

each file-one at- a time

Select Properties/Security and

Check the box to -> "allow inheritable permissions from parent...")

 

-When you have done that restart back in normal mode,

re-run the "RESTORE.bat"

once again and post the log2.txt file, along with the

new log saved by VX2finder

Share this post


Link to post
Share on other sites

Freeatlast,

Sorry I was out of town for a few days. Here are the new logs.

 

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Sun 25 Jul 04 22:37:32

10:37pm up 0 days, 0:14

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or the right file was selected.

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

 

8 items found: 8 files (8 H/S), 0 directories.

Total of file sizes: 2,534,208 bytes 2.41 M

Unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

 

8 items found: 8 files, 0 directories.

Total of file sizes: 2,534,208 bytes 2.41 M

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

* result\\?\C:\FINDnFIX\junkxxx\HLPLNJ.222

* result\\?\C:\FINDnFIX\junkxxx\WDMNDLL.222

 

 

C:\FINDNFIX\JUNKXXX\

hlplnj.222 Mon Jun 28 2004 12:07:38p A.... 57,344 56.00 K

wdmndll.222 Fri Jun 25 2004 2:28:04p A.... 57,344 56.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 114,688 bytes 112.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\HLPLNJ.222

Sniffed -> C:\FINDNFIX\JUNKXXX\WDMNDLL.222

 

**File C:\FINDNFIX\JUNKXXX\HLPLNJ.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

**File C:\FINDNFIX\JUNKXXX\WDMNDLL.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- HLPLNJ .222 0000E000 12:07.38 28/06/2004

A----- WDMNDLL .222 0000E000 14:28.04 25/06/2004

 

c:\findnfix\junkxxx\hlplnj.222

--a-- W32i - - - - 57,344 06-28-2004 hlplnj.222

c:\findnfix\junkxxx\wdmndll.222

--a-- W32i - - - - 57,344 06-25-2004 wdmndll.222

A C:\FINDnFIX\junkxxx\hlplnj.222

A C:\FINDnFIX\junkxxx\wdmndll.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

HLPLNJ.222 57344 06-28-104 12:07 c185b36f9969d3a6d2122ba7cbc02249

WDMNDLL.222 57344 06-25-104 14:28 c185b36f9969d3a6d2122ba7cbc02249

File: <C:\FINDnFIX\junkxxx\hlplnj.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

File: <C:\FINDnFIX\junkxxx\wdmndll.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\hlplnj.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

YOUR-6KR4ZXLD90\User:F

BUILTIN\Users:R

 

C:\FINDnFIX\junkxxx\wdmndll.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

YOUR-6KR4ZXLD90\User:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

File "C:\FINDnFIX\junkxxx\hlplnj.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

File "C:\FINDnFIX\junkxxx\wdmndll.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

C:\FINDnFIX\junkxxx\hlplnj.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Users:RrRaRepX

C:\FINDnFIX\junkxxx\wdmndll.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Users:RrRaRepX

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' , USERProcessHandleQuota, h X

000012D0: vk f AppInit_DLLs G

00001310: $ p

00001350: 0 |

00001390: T

000013D0: ` 8 l

00001410: `

00001450: 8 l

00001490: D d

000014D0: P p

00001510: ( H

00001550:4

 

---------- NEWWIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuota

$012F0: AppInit_DLLs

--------------

--------------

No strings found.

 

 

d.... 0 Jul 18 16:27 .

d.... 0 Jul 18 16:27 ..

....a 57344 Jun 28 12:07 hlplnj.222

....a 57344 Jun 25 14:28 wdmndll.222

 

4 files found occupying 111616 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

HLPLNJ.222 : crc16=3138 crc32=D5C9FB2E

WDMNDLL.222 : crc16=3138 crc32=D5C9FB2E

 

-------- C:\FINDNFIX\JUNKXXX\HLPLNJ.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2-------- C:\FINDNFIX\JUNKXXX\WDMNDLL.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

114,688 bytes 955,733 cps

Files: 2 Records: 26,278 Matches: 6 Elapsed Time: 00:00:00.12

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-18-:4 16:27|HLPLNJ 222 57344 A 06-28-:4 12:07

.. <dir> 07-18-:4 16:27|WDMNDLL 222 57344 A 06-25-:4 14:28

---------------------------------------+---------------------------------------

4 files totaling 114688 bytes consuming 130048 bytes of disk space.

17299968 bytes available on Drive C: No volume label

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Sun 25 Jul 04 22:37:32

10:37pm up 0 days, 0:14

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or the right file was selected.

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

 

8 items found: 8 files (8 H/S), 0 directories.

Total of file sizes: 2,534,208 bytes 2.41 M

Unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

 

8 items found: 8 files, 0 directories.

Total of file sizes: 2,534,208 bytes 2.41 M

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL

Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

* result\\?\C:\FINDnFIX\junkxxx\HLPLNJ.222

* result\\?\C:\FINDnFIX\junkxxx\WDMNDLL.222

 

 

C:\FINDNFIX\JUNKXXX\

hlplnj.222 Mon Jun 28 2004 12:07:38p A.... 57,344 56.00 K

wdmndll.222 Fri Jun 25 2004 2:28:04p A.... 57,344 56.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 114,688 bytes 112.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\HLPLNJ.222

Sniffed -> C:\FINDNFIX\JUNKXXX\WDMNDLL.222

 

**File C:\FINDNFIX\JUNKXXX\HLPLNJ.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

**File C:\FINDNFIX\JUNKXXX\WDMNDLL.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- HLPLNJ .222 0000E000 12:07.38 28/06/2004

A----- WDMNDLL .222 0000E000 14:28.04 25/06/2004

 

c:\findnfix\junkxxx\hlplnj.222

--a-- W32i - - - - 57,344 06-28-2004 hlplnj.222

c:\findnfix\junkxxx\wdmndll.222

--a-- W32i - - - - 57,344 06-25-2004 wdmndll.222

A C:\FINDnFIX\junkxxx\hlplnj.222

A C:\FINDnFIX\junkxxx\wdmndll.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

HLPLNJ.222 57344 06-28-104 12:07 c185b36f9969d3a6d2122ba7cbc02249

WDMNDLL.222 57344 06-25-104 14:28 c185b36f9969d3a6d2122ba7cbc02249

File: <C:\FINDnFIX\junkxxx\hlplnj.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

File: <C:\FINDnFIX\junkxxx\wdmndll.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\hlplnj.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

YOUR-6KR4ZXLD90\User:F

BUILTIN\Users:R

 

C:\FINDnFIX\junkxxx\wdmndll.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

YOUR-6KR4ZXLD90\User:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

File "C:\FINDnFIX\junkxxx\hlplnj.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

File "C:\FINDnFIX\junkxxx\wdmndll.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: YOUR-6KR4ZXLD90\User

 

Primary Group: YOUR-6KR4ZXLD90\None

 

C:\FINDnFIX\junkxxx\hlplnj.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Users:RrRaRepX

C:\FINDnFIX\junkxxx\wdmndll.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Users:RrRaRepX

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' , USERProcessHandleQuota, h X

000012D0: vk f AppInit_DLLs G

00001310: $ p

00001350: 0 |

00001390: T

000013D0: ` 8 l

00001410: `

00001450: 8 l

00001490: D d

000014D0: P p

00001510: ( H

00001550:4

 

---------- NEWWIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuota

$012F0: AppInit_DLLs

--------------

--------------

No strings found.

 

 

d.... 0 Jul 18 16:27 .

d.... 0 Jul 18 16:27 ..

....a 57344 Jun 28 12:07 hlplnj.222

....a 57344 Jun 25 14:28 wdmndll.222

 

4 files found occupying 111616 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

HLPLNJ.222 : crc16=3138 crc32=D5C9FB2E

WDMNDLL.222 : crc16=3138 crc32=D5C9FB2E

 

-------- C:\FINDNFIX\JUNKXXX\HLPLNJ.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2-------- C:\FINDNFIX\JUNKXXX\WDMNDLL.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

114,688 bytes 955,733 cps

Files: 2 Records: 26,278 Matches: 6 Elapsed Time: 00:00:00.12

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-18-:4 16:27|HLPLNJ 222 57344 A 06-28-:4 12:07

.. <dir> 07-18-:4 16:27|WDMNDLL 222 57344 A 06-25-:4 14:28

---------------------------------------+---------------------------------------

4 files totaling 114688 bytes consuming 130048 bytes of disk space.

17299968 bytes available on Drive C: No volume label

Share this post


Link to post
Share on other sites

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Share this post


Link to post
Share on other sites

Hey... :scratchhead:

No need to bump!

 

I was checking on your topic and there was no reply , so far.

 

Well done!

All your files have been identified!

I'm a bit confused what happened to the first file you removed with Daemon (hlp.dll)

As it's no longer included!

 

Anyway, to wrap up the cws episode-- follow these steps:

 

Last step(s):

 

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will take just a second, quickly clean the rest and

will create a zipped copy of the bad file(s) in the same

folder (named as-- junkxxx.zip) and open your email

client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

-When done, restart your computer and

Delete the entire 'FINDnFIX' folder(s)

From C:\

 

*Next, delete ALL your previous VX2finder(s).exe

It was updated again.

Download this version from here:

http://downloads.subratam.org/VX2Finder(126).exe

 

Scan, post the results along with new hijackthis log!

Share this post


Link to post
Share on other sites

Freeatlast,

sorry for the bump, I didn't mean to be rude.

I ran ZIPZAP.bat and dragged the junkxxx.zip into the email. It is requesting a link to this forum be included in the email. Can you tell me how to do this?

Thanks for your help.

Share this post


Link to post
Share on other sites

Don't worry about the link. Just submit

I'll know where it came from ;)

 

When done, proceed with the rest of the steps...

Share this post


Link to post
Share on other sites

Freeatlast,

vx2.log

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Share this post


Link to post
Share on other sites

highjackthis log

 

Logfile of HijackThis v1.97.7

Scan saved at 2:41:52 PM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\WIN2000\guru.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Evidence Eliminator\ee.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\System32\hpoipm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\SD2ZWTQ7\VX2Finder(126)[1].exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\unzipped\hijackthis1977[1]\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r5.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [W0lxD.exe] c:\documents and settings\user\local settings\temp\W0lxD.exe

O4 - HKLM\..\Run: [spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe

O4 - HKCU\..\Run: [usrr] C:\Documents and Settings\User\Application Data\rncr.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msdbrptr949i.exe] C:\WINDOWS\System32\msdbrptr949i.exe

O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/142dcd43068581a07205/netzip/RdxIE2.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7584.8022916667

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Share this post


Link to post
Share on other sites

I'm not sure about the reason, but VX2finder doesn't seem

to work properly. :scratchhead:

I do know some of the files are different...

 

Here is the list:

C:\WINDOWS\SYSTEM32\

 

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K

aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

All these files have hidden and system attributes.

You have to make sure all hidden/protected files are visible.

Find these according to specs (exact file name/size! 316,776 bytes)

In system32, and try to delete one at a time.

*Be sure to identify the right files!

 

*If any can't be deleted, post back the exact file name!

Run VX2finder and click the "userAgent" and 'Restore policy' tabs.

It will ask you to restart.

 

You still have malware left on your hijackthis log!

Start by fixing these:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [W0lxD.exe] c:\documents and settings\user\local settings\temp\W0lxD.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKCU\..\Run: [usrr] C:\Documents and Settings\User\Application Data\rncr.exe

O4 - HKCU\..\Run: [msdbrptr949i.exe] C:\WINDOWS\System32\msdbrptr949i.exe

O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m**< optional but cr@py reputation!

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

Reboot and post fresh hijackthis log and new VX2finder scan results.

Click only once, as it looks like you clicked several times!

 

***Edit:

Daemon gave you earlier directions to Ad-Aware.

After performing the steps above, install Ad-Aware VX2plugin from here:

http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml

Run full system scan and allow it to fix all it finds.

Edited by freeatlast

Share this post


Link to post
Share on other sites

Freeatlast,

New Logs

 

Logfile of HijackThis v1.97.7

Scan saved at 4:39:34 PM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

C:\WIN2000\guru.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\System32\hpoipm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\unzipped\hijackthis1977[1]\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r5.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe

O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/142dcd43068581a07205/netzip/RdxIE2.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7584.8022916667

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

 

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

crypt32chain

cryptnet

cscdll

ScCertProp

Schedule

sclgntfy

SensLogn

termsrv

wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

Share this post


Link to post
Share on other sites

Much better! :D

After consulting with my good bud O^E, it turns

out that the VX2 files are probably left over of older version!

 

Were you able to find and delete all?

 

Fix checked in hijackthis:

 

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

 

Run VX2finder, select the "UserAgent$" tab and have it

remove the string!

Be sure this line doesn't show up again!

 

User Agent String---

{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

 

 

From your previously fixed load, find and delete:

C:\Documents and Settings\User\

Application Data\rncr.exe< file

 

WINDOWS\System32\msdbrptr949i.exe< file.

 

Empty your temp folder from start/run/type:

%temp%

Clear entire contents of temp folder

 

Run all the recommended tools advised by Deamon again,

and you should be

all set! :D

Share this post


Link to post
Share on other sites

Freeatlast,

I think I was able to remove all of the VX2 files, but I could not remove all of the files in the temp folder.

Share this post


Link to post
Share on other sites

Freeatlast,

I also have 2 things in my list of programs that I can't remove.

Zerospyware lite and Kazaa media desktop. Can you tell me how to remove these?

Share this post


Link to post
Share on other sites

The items in 'temp' that resist removal can be safely ignored, as they are used by Windows.

 

As for the other programs, check the corresponding entries in Windows control panel/Add/remove programs and try to uninstall them. :scratchhead:

Share this post


Link to post
Share on other sites

Thanks, I have tried both many times and it will not allow me to remove. Kazaa says error loading C:\windows\system32\cd-clint.dll and Zerospyware lite says an error (5004:0x80029c4a) has occurred while running setup but I'm trying to delete not install.

Share this post


Link to post
Share on other sites
Thanks, I have tried both many times and it will not allow me to remove. Kazaa says error loading C:\windows\system32\cd-clint.dll and Zerospyware lite says an error (5004:0x80029c4a) has occurred while running setup but I'm trying to delete not install.

Use this utility:

http://freehost14.websamba.com/nirsoft/utils/myuninst.html

Run, find both programs and look at their properties.

Location, uninstall command etc.

You can try to uninstall directly from there, but it will most likely fail.

If so, use the tool to remove the items from the list, after you

were able to locate their install location, if exists.

(e,g, C:\Program Files\Zerospyware lite ).

When done, find and manually delete the remains. (In program files)

Share this post


Link to post
Share on other sites

Hey Freeatlast, Thank you so much for your help. I really appreciate it. This is the first time in months I have been able to use my computer without problems. Thanks again

Share this post


Link to post
Share on other sites

Thanks FAL - quality work as always :cool:

 

 

 

To help keep you clean follow the recommendations in Tony's article here:

 

So how did I get infected in the first place?

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0