Jump to content


Photo

HiJack This Log files


  • Please log in to reply
5 replies to this topic

#1 rowedf

rowedf

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 20 July 2004 - 08:03 PM

Here are two HiJack this files...the first ran in safe mode, the second in regular mode. Ive run Adaware, Spybot, and CWShredder.

Logfile of HijackThis v1.97.7
Scan saved at 7:40:39 PM, on 7/20/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
D:\Documents and Settings\uharggx\Desktop\hijack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3A7CC57C-54F7-44A3-9F88-E16D538674DE} - C:\WINNT\system32\ebbcca.dll
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: assistance.lnk = C:\c600splash.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetNT\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {586C75A9-BBDD-11D4-A4F0-00C04F800B37} (IDPrintPage.Print) - https://ncam.lexis-n...idprintpage.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {BDD1F04B-858B-11D1-B16A-00C0F0283628} (Microsoft ListView Control, version 6.0) - http://esar2/home/mscomctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lexis-nexis.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lexis-nexis.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lexis-nexis.com


Now, regular mode:

Logfile of HijackThis v1.97.7
Scan saved at 7:50:55 PM, on 7/20/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
c:\jetNT\jsdaemon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\c600splash.exe
C:\jetNT\DLLCMD32.EXE
C:\jetNT\JETSTAT.EXE
c:\jetNT\JSFMAN.EXE
C:\WINNT\System32\MDM.EXE
D:\Documents and Settings\uharggx\Desktop\hijack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3A7CC57C-54F7-44A3-9F88-E16D538674DE} - C:\WINNT\system32\ebbcca.dll
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: assistance.lnk = C:\c600splash.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetNT\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {586C75A9-BBDD-11D4-A4F0-00C04F800B37} (IDPrintPage.Print) - https://ncam.lexis-n...idprintpage.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {BDD1F04B-858B-11D1-B16A-00C0F0283628} (Microsoft ListView Control, version 6.0) - http://esar2/home/mscomctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lexis-nexis.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lexis-nexis.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lexis-nexis.com

Thanks for any help.

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 July 2004 - 04:13 PM

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 rowedf

rowedf

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 21 July 2004 - 09:09 PM

Ok, here are the results.


╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows 2000 [Version 5.00.2195]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1
The type of the file system is NTFS.
C: is not dirty.

Wed 21 Jul 04 22:00:42
10:00pm up 0 days, 0:10

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain
criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to
remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate
culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/21)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINNT\System32\SQLFPE.DLL +++ File read error
\\?\C:\WINNT\System32\SQLFPE.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
SQLFPE.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINNT\SYSTEM32\
sqlfpe.dll Fri Jul 16 2004 6:54:58p A...R 57,344 56.00
K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\SQLFPE.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... SQLFPE.DLL .....57344
16.07.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINNT\SYSTEM32\SQLFPE.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINNT\SYSTEM32\
sqlfpe.dll Fri Jul 16 2004 6:54:58p A...R 57,344 56.00
K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\SQLFPE.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows
NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 58 bytes, including the 2 for
string termination.

[AppInitDLLs]
Ansi string : "C:\WINNT\system32\sqlfpe.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 |
C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 |
\.s.y.s.t.e.m.3.
0020 32 00 5c 00 73 00 71 00 6c 00 66 00 70 00 65 00 |
2.\.s.q.l.f.p.e.
0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...


#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 July 2004 - 01:48 AM

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the SQLFPE.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.
Posted Image

#5 rowedf

rowedf

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 23 July 2004 - 10:21 AM

Here are the results:

╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Fri 23 Jul 04 11:11:02
11:11am up 0 days, 0:12

Microsoft Windows 2000 [Version 5.00.2195]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/21)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.


╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINNT\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

(***Note: If the file is listed as +++ read error it's security restrictions
couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

* result\\?\C:\FINDnFIX\junkxxx\SQLFPE.222


C:\FINDNFIX\JUNKXXX\
sqlfpe.222 Fri Jul 16 2004 6:54:58p A.... 57,344 56.00
K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992,
21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\SQLFPE.222

**File C:\FINDNFIX\JUNKXXX\SQLFPE.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice.
.Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup.
2.....Ó.

A----- SQLFPE .222 0000E000 18:54.58 16/07/2004

--a-- W32i - - - - 57,344 07-16-2004 sqlfpe.222
A C:\FINDnFIX\junkxxx\sqlfpe.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
SQLFPE.222 57344 07-16-104 18:54 c185b36f9969d3a6d2122ba7cbc02249
File: <C:\FINDnFIX\junkxxx\sqlfpe.222>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249


╗╗Permissions:
C:\FINDnFIX\junkxxx\sqlfpe.222 Everyone:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Everyone:F

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group:

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group:

File "C:\FINDnFIX\junkxxx\sqlfpe.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group:

C:\FINDnFIX\junkxxx\sqlfpe.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\sqlfpe.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\sqlfpe.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\sqlfpe.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\sqlfpe.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\sqlfpe.222;Everyone:RrRaRepWwAWaWePXDDcO[I]



╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows
NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access -------- C:\FINDNFIX\JUNKXXX\SQLFPE.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 819,200 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.07

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> A 07-23-:4 11:10|SQLFPE 222 57344 A 07-16-:4
18:54
.. <dir> A 07-23-:4 11:10|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: Volume label: L2K_C_DRIVE

...File dump...

DecAddr +4 +8 +12 © |ASCII Equiv or .| HexAddr
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
sqlfpe.222 ACL has 6 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = /Everyone S-1-1-0
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
ACL done...


Finished Detecting...


#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 11:01 AM

Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button