Jump to content


Photo

Home Search, Only the Best, and Search Extnder


  • Please log in to reply
92 replies to this topic

#51 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 12:59 PM

OK- Here is a new Hijack This log... As far as I know, there is nothing in ignore... I didn't click anything-just ran the scan...

Logfile of HijackThis v1.98.0
Scan saved at 1:59:06 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKLM\..\Run: [msse.exe] C:\WINDOWS\msse.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

#52 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 01:10 PM

Hi,

I downloaded the FINDnFIX program to my computer, but when opened there is only a folder called !LOG!--I don't see one called !LOG!. bat.... :hmmm:

#53 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 01:31 PM

It's one and the same - double click it.
Posted Image

#54 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 01:44 PM

Sorry about that--I am not at all familiar with these things.... Here is the log :


╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994
The type of the file system is NTFS.
C: is not dirty.

Fri 23 Jul 04 14:39:17
2:39pm up 0 days, 14:24

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/21)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\WIN.DLL +++ File read error
\\?\C:\WINDOWS\System32\WIN.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
WIN.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
javayg.dll Tue Jun 29 2004 10:29:56p A.SH. 91,475 89.33 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,475 bytes 89.33 K

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JAVAYG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... WIN.DLL .....57344 21.04.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group SHAUNSPC\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
2:42pm up 0 days, 14:28
Fri 23 Jul 04 14:42:33

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-23-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-23-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Fri Jul 23 2004 2:07:10p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk 8 S AppInit_DLLs C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ w i n . d l l 2382
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
AppInit_DLLsÇĚ
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota3
$012F0: AppInit_DLLs
--------------
--------------
C:\WINDOWS\System32\win.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\win.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 77 00 69 00 6e 00 2e 00 | m.3.2.\.w.i.n...
0030 64 00 6c 00 6c 00 00 00 | d.l.l...


#55 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 01:58 PM

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the WIN.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.
Posted Image

#56 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 02:47 PM

I'm very sorry, but after the reboot when I went into the System 32 folder, there was no such file as WIN.DLL... :wtf:

#57 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 03:03 PM

Don't be sorry - your AV may well have nailed it. Do the Restore part and post the Log2.
Posted Image

#58 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 03:23 PM

Sorry again but I am unable to produce a log, every time notepad puts it up, A Spybot warning pops up and it disappears from the screen... There are 3 notepad documents in FINDnFix, but I don't think it is the RESTORE log......

#59 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 03:26 PM

OK here is the only log2 in FINDnFIX:


╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Fri 23 Jul 04 16:17:57
4:17pm up 0 days, 0:36

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/21)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
\\?\C:\WINDOWS\System32\WIN.DLL +++ File read error
C:\WINDOWS\System32\WIN.DLL +++ File read error

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT
WIN.DLL Can't Open!

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
javayg.dll Tue Jun 29 2004 10:29:56p A.SH. 91,475 89.33 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,475 bytes 89.33 K

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JAVAYG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... WIN.DLL .....57344 21.04.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗╗╗ Search by size...


C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


File not found - C:\FINDnFIX\junkxxx\*.*

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________

╗╗Permissions:
ERROR: There are no more files.

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None




╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\win.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINDOWS\System32\win.dll

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk 8 - AppInit_DLLs1 C C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ w i n . d l l C
00001350: xC XC `J B
00001390: C T
000013D0:
00001410: \ W I N D O W S \ s y s t e m 3 2 ; C : \ W
00001450:I N D O W S ; C : \ W I N D O W S \ S y s t e m 3 2 \ W b e m
00001490:! \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O
000014D0:W S \ S y s t e m 3 2 ; C : \ W I N D O W S \ s y s t e m ; C :
00001510:\ W I N D O W S ; . ; C : \ W I N D O W S \ s y s t e m 3 2 ; C
00001550::

---------- NEWWIN.TXT
AppInit_DLLs1
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota3
$012F0: AppInit_DLLs1
--------------
--------------
C:\WINDOWS\System32\win.dll
\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
\WINDOWS\system32;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
acn_np:[\\PIPE\\lsarpc]
rpcrt4.dll

d.... 0 Jul 23 14:07 .
d.... 0 Jul 23 14:07 ..

2 files found occupying -1024 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
No files found


===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.07

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-23-:4 14:07|.. <dir> 07-23-:4 14:07
---------------------------------------+---------------------------------------
2 files totaling 0 bytes consuming 0 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...


Detecting...

C:\FINDnFIX\junkxxx
Finished Detecting... 

#60 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 03:36 PM

Home Search returned to my computer a little while ago... I don't think I've ever been this annoyed by anything online ever before.... :techsupport:

#61 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 July 2004 - 04:51 PM

It's still there. Repeat this.

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the WIN.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.
Posted Image

#62 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 23 July 2004 - 05:21 PM

Still no WIN.DLL file present in System32; Here is a new log from the last scan if interested:


╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Fri 23 Jul 04 18:18:53
6:18pm up 0 days, 0:08

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/21)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
\\?\C:\WINDOWS\System32\WIN.DLL +++ File read error
C:\WINDOWS\System32\WIN.DLL +++ File read error

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT
WIN.DLL Can't Open!

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
javayg.dll Tue Jun 29 2004 10:29:56p A.SH. 91,475 89.33 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,475 bytes 89.33 K

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JAVAYG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... WIN.DLL .....57344 21.04.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗╗╗ Search by size...


C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


File not found - C:\FINDnFIX\junkxxx\*.*

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________

╗╗Permissions:
ERROR: There are no more files.

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None




╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\win.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINDOWS\System32\win.dll

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: H vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk 8 0 AppInit_DLLsoute C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ w i n . d l l t + t
00001350: N U ^ V t$ t$ 3 F F F( F$ ^ D$ u a
00001390: A A A A$ A A D$ A D$ A$ A 3 T$ u+ t
000013D0: t I( I( A(t A( t I( D$ V ;F ~ P % Y F
00001410:t F F F ^ ` U SVW } 3 9V u
00001450: U v N X B X ;V r 3 9U U 9V ^ C r
00001490: e P u e E f x < E P F P u
000014D0: } t :A$u 3 F P :H$u E 3 9M tV F
00001510: tO tK E u F Q q R Q R G f e< F
00001550:

---------- NEWWIN.TXT
AppInit_DLLsoute└   C
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota3
$012F0: AppInit_DLLsoute
--------------
--------------
C:\WINDOWS\System32\win.dll

d.... 0 Jul 23 14:07 .
d.... 0 Jul 23 14:07 ..

2 files found occupying -1024 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
No files found


===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.07

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-23-:4 14:07|.. <dir> 07-23-:4 14:07
---------------------------------------+---------------------------------------
2 files totaling 0 bytes consuming 0 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...


Detecting...

C:\FINDnFIX\junkxxx
Finished Detecting... 

#63 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 24 July 2004 - 12:29 AM

I still haven't gotten rid of these spyware programs... If anyone can shed some light PLEASE don't hesitate to post it reply... Lord deliver us from this scourge... Whoever came up with this should be horse whipped... :ph34r:

#64 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 24 July 2004 - 01:37 PM

Well I am back for another day to battle this.... Anyone availiable???

#65 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 24 July 2004 - 06:46 PM

I've been trying to figure out some of the remedies posted to other logs, but I was told not to follow advice given to others... I am just unable to figure this out... Anyone?

#66 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 25 July 2004 - 01:47 AM

Anyone?? I'm begging.... :weep:

#67 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 25 July 2004 - 07:04 AM

Sorry - I missed your replies - let me confer as why you are having difficulties revealing that file.
Posted Image

#68 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 28 July 2004 - 04:16 PM

Well, I still have the hijacker programs on my computer... I am now seeking help at another help board, where I am being told to use About:Buster and HijackThis in safe mode. This process does not work, or it hasn't worked for me... I hope others have better luck than me.

#69 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 28 July 2004 - 04:24 PM

That won't work - hang fire - I'm going to get a second opinion.
Posted Image

#70 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 28 July 2004 - 08:34 PM

If there is anyone at all who knows how to solve the about: blank hijack and only the best popups, please post....

#71 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 July 2004 - 10:18 PM

Since you're having trouble and I was alerted to
check, I made alternate files
to fix your specific issue.

You must follow these steps exactly as described!
----------------------------------------------------------------------
Download and *UNZIP QuickFix from here:
http://www10.brinkst...er/Temp/fix.htm

Get ready to restart:
1.)
-*DoubleClick on this file: "Winrem.reg", Answer
'yes' to the prompt!

2.)
-*Restart your computer!

3.)
On Restart, Go back to 'QuickFix' folder, and
-*DoubleClick on the "MoveIt.bat" file.
(It will just run and quit instantly)

4.)
When done, Go back to:
C:\FINDnFIX\Keys1< Subfolder, And DoubleClick on
the following 2 files (only)
In this order, hitting 'yes' on the prompt:

A.) Winkey.reg
B.) Winclean.reg

5.)
Lastly, go back to main FindNFix folder and
run the "Restore.bat" file, and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#72 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 29 July 2004 - 03:51 AM

I'm dreadfully sorry, but I simply do not know what it means to "unzip" a file...
All I am able to do is click on download and save it somewhere... You are unfortunately dealing with a non computer expert here... I am not at all familiar with a lot of computer related things...

#73 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 29 July 2004 - 03:55 AM

I moved it to a newly created folder that I named QuickFix, will that constitute unzipping it??

#74 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 July 2004 - 09:18 AM

I'm dreadfully sorry, but I simply do not know what it
means to "unzip" a file...
All I am able to do is click on download and save it
somewhere... You are unfortunately dealing with a non
computer expert here... I am not at all familiar with a lot of computer related things...

I moved it to a newly created folder that I named QuickFix, will that constitute unzipping it??

:scratchhead: Delete the file you downloaded and the folder you made...
Download it again from Here.
DoubleClick, and it will self extract to your drive in:
C:\QuickFix\.
Get ready to restart and follow up on the steps--starting with 1. outlined in my previous post.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#75 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 29 July 2004 - 05:43 PM

Here is the FINDnFIX log asked for:


╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Thu 29 Jul 04 18:22:00
6:22pm up 0 days, 0:13

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/21)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
\\?\C:\WINDOWS\System32\WIN.DLL +++ File read error
C:\WINDOWS\System32\WIN.DLL +++ File read error

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT
WIN.DLL Can't Open!

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
javayg.dll Tue Jun 29 2004 10:29:56p A.SH. 91,475 89.33 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,475 bytes 89.33 K

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JAVAYG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... WIN.DLL .....57344 21.04.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗╗╗╗╗ Search by size...


C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)



No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*


File not found - C:\FINDnFIX\junkxxx\*.*

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________

╗╗Permissions:
ERROR: There are no more files.

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None




╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\win.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINDOWS\System32\win.dll

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk 8 UAppInit_DLLsecte C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ w i n . d l l disk
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
└UAppInit_DLLsecte└   C
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota3
$012EF: UAppInit_DLLsecte
--------------
--------------
C:\WINDOWS\System32\win.dll

d.... 0 Jul 23 14:07 .
d.... 0 Jul 23 14:07 ..

2 files found occupying -1024 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
No files found


===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-23-:4 14:07|.. <dir> 07-23-:4 14:07
---------------------------------------+---------------------------------------
2 files totaling 0 bytes consuming 0 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...


Detecting...

C:\FINDnFIX\junkxxx
Finished Detecting... 

#76 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 July 2004 - 08:59 PM

It didn't quite work...

The package was updated since and
your backups are useless by now, anyway.
Delete the 'QuickFix' folders and the FINDnFIX folders.

Download FINDnFIX again from the links
in my signature, run and post the log. (Run the LOG.bat)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#77 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 29 July 2004 - 09:34 PM

I am sorry, that last log posted was from my file that I created... I will redo and post back hopefully soon...

#78 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 30 July 2004 - 04:44 PM

Hi, here is the log:



╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994
The type of the file system is NTFS.
C: is not dirty.

Fri 30 Jul 04 17:41:10
5:41pm up 0 days, 23:33

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/29)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\WIN.DLL +++ File read error
\\?\C:\WINDOWS\System32\WIN.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
WIN.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
javayg.dll Tue Jun 29 2004 10:29:56p A.SH. 91,475 89.33 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,475 bytes 89.33 K

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JAVAYG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
SNiF 1.34 statistics

Matching files : 2 Amount in bytes : 148819
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
» Access denied « ..................... WIN.DLL .....57344 21.04.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\WIN.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
win.dll Wed Apr 21 2004 11:14:24p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WIN.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group SHAUNSPC\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
5:43pm up 0 days, 23:35
Fri 30 Jul 04 17:43:18

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-30-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-30-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Fri Jul 30 2004 5:41:06p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: = " vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: I N ( A N C E P A T H > < N A M E S P A C E P A T H > < H
00001310:O S T > S H A U N S P C < / H O S T > < L O C A L N A M E S P A
00001350:C E P A T H > < N A M E S P A C E N A M E = " r o o t " / > <
00001390:N A M E S P A C E N A M E = " c i m v 2 " / > < / L O C A L N
000013D0:A M E S P A C E P A T H > < / N A M E S P A C E P A T H > < I N
00001410:S T A N C E N A M E C L A S S N A M E = " W i n 3 2 _ S t a r
00001450:t u p C o m m a n d " > < K E Y B I N D I N G N A M E = " C o
00001490:m m a n d " > < K E Y V A L U E V A L U E T Y P E = " s t r i
000014D0:n g " > D E S K T O P . I N I < / K E Y V A L U E > < / K E Y B
00001510:I N D I N G > < K E Y B I N D I N G N A M E = " L o c a t i o
00001550:n " > < K E Y V A L U E V A L U E T Y P E = " s t r i n g " >
00001590:S t a r t u p < / K E Y V A L U E > < / K E Y B I N D I N G > <
000015D0:K E Y B I N D I N G N A M E = " N a m e " > < K

---------- WIN.TXT
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota3
--------------
--------------
ON="2.0" DTDVERSION="2.0"><DECLARATION><DECLGROUP.WITHPATH><VALUE.OBJECTWITHPATH><INSTANCEPATH><NAMESPACEPATH><HOST>SHAUNSPC</HOST><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"
PROPERTY><
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!


#79 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 July 2004 - 08:04 PM

Here is what you should do:

1.) If you are running any active
Anti virus protection, disable it completely!
Unless you do so, it'll interfere!

2.) Open the FINDnFIX\Keys1< Subfolder!
Get ready to restart your computer:
DoubleClick on this file: (only) -> "windr1.reg"
Answer 'yes' on the merge prompt!

3.) Restart your computer!

On restart:
Search for this file "win.dll" in System32.
*If found:
Move it into the:
C:\FINDnFIX\junkxxx< Subfolder as originally advised!
DoubleCheck that it is indeed in the junkxxx Subfolder
And no longer in the System32 folder!
If so,
Go to main FINDnFIX Folder, Run the -> "Restore.bat"
And post the log!

**If NOT found:
Just run the same "LOG.bat" again and post the log! :scratchhead:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#80 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 30 July 2004 - 10:49 PM

Here is the latest log from FINDnFIX:



╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Fri 30 Jul 04 23:32:54
11:32pm up 0 days, 0:08

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/29)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
javayg.dll Tue Jun 29 2004 10:29:56p A.SH. 91,475 89.33 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,475 bytes 89.33 K

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JAVAYG.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 91475
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(5)╗╗╗╗╗

╗╗╗╗╗(6)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\WIN.333


C:\FINDNFIX\JUNKXXX\
dwwin.333 Mon Aug 11 2003 7:02:36p A.... 1,216,512 1.16 M
win.333 Wed Apr 21 2004 11:14:24p A.... 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 1,273,856 bytes 1.21 M

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\DWWIN.333
Sniffed -> C:\FINDNFIX\JUNKXXX\WIN.333
SNiF 1.34 statistics

Matching files : 2 Amount in bytes : 1273856
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\DWWIN.333
**File C:\FINDNFIX\JUNKXXX\WIN.333
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- DWWIN .333 00129000 19:02.36 11/08/2003
A----- WIN .333 0000E000 23:14.24 21/04/2004

c:\findnfix\junkxxx\dwwin.333
--a-- W32i APP ENU 2.0.0.113 shp 1,216,512 08-11-2003 dwwin.333
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName MicroVision Development, Inc.
FileDescription MicroVision DWWIN Library
InternalName dwwin
OriginalFilenam dwwin.dll
ProductName MicroVision DWWIN Library
ProductVersion 2.0.0.113
FileVersion 2, 0, 0, 113
LegalCopyright Copyright ę 1999-2003 MicroVision Development, Inc. All rights reserved.
LegalTrademarks
PrivateBuild
SpecialBuild
Comments

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00020000:00000071 (2.0:0.113)
ProdVer: 00020000:00000071 (2.0:0.113)
FlagMask: 0000003f
Flags: 00000000
OS: 00000004 Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
c:\findnfix\junkxxx\win.333
--a-- W32i - - - - 57,344 04-21-2004 win.333
A C:\FINDnFIX\junkxxx\dwwin.333
A C:\FINDnFIX\junkxxx\win.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
DWWIN.333 1216512 08-11-103 19:02 265423b5e124fc6ce33be2dcdaf1ff84
WIN.333 57344 04-21-104 23:14 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
DWWIN.333 : crc16=72B3 crc32=E68CFC5F
WIN.333 : crc16=3138 crc32=D5C9FB2E


File: <C:\FINDnFIX\junkxxx\dwwin.333>

CRC-32 : E68CFC5F

MD5 : 265423B5 E124FC6C E33BE2DC DAF1FF84



File: <C:\FINDnFIX\junkxxx\win.333>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
(CRC16 : 3138)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
(CRC16 : EEB1)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
(CRC16 : 90A5)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
╗╗Permissions:
C:\FINDnFIX\junkxxx\dwwin.333 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R

C:\FINDnFIX\junkxxx\win.333 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
SHAUNSPC\Shaun Blankenship:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None

File "C:\FINDnFIX\junkxxx\dwwin.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\FINDnFIX\junkxxx\win.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x SHAUNSPC\Shaun Blankenship
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: SHAUNSPC\Shaun Blankenship

Primary Group: SHAUNSPC\None

C:\FINDnFIX\junkxxx\dwwin.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\dwwin.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\dwwin.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\dwwin.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\dwwin.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\dwwin.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\dwwin.333;BUILTIN\Users:RrRaRepX[I]
C:\FINDnFIX\junkxxx\win.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\win.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\win.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\win.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\win.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\win.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\win.333;SHAUNSPC\Shaun Blankenship:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\win.333;BUILTIN\Users:RrRaRepX[I]



╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: yyyy vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk b AppInit_DLLsecte yyyyyyyyyyyy
00001310:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001350:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001390:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
000013D0:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001410:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001450:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001490:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
000014D0:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001510:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
00001550:y

---------- NEWWIN.TXT
AppInit_DLLsecte
--------------
--------------
$001B5: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
$0100C: yyyyyyyyyyyyyyyyyyyy
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota3
$012F0: AppInit_DLLsecte
--------------
--------------
No strings found.


d.... 0 Jul 30 17:41 .
d.... 0 Jul 30 17:41 ..
....a 1216512 Aug 11 2003 dwwin.333
....a 57344 Apr 21 23:14 win.333

4 files found occupying 1270784 bytes

-------- C:\FINDNFIX\JUNKXXX\WIN.333
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
1,273,856 bytes 21,230,933 cps
Files: 2 Records: 246,403 Matches: 3 Elapsed Time: 00:00:00.06

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-30-:4 17:41|DWWIN 3331216512 A 08-11-:3 19:02
.. <dir> 07-30-:4 17:41|WIN 333 57344 A 04-21-:4 23:14
---------------------------------------+---------------------------------------
4 files totaling 1273856 bytes consuming 1300480 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...

junkxxx\dwwin.333
junkxxx\win.333
1 file(s) copied.
56880 45f883c0 018945f8 837df803 7d278b4d |E.....E..}..}'.M| 0de30
56896 0c0fbe11 8b45f88b 4d080fb7 04412bc2 |.....E..M....A+.| 0de40
56912 8b4df88b 55086689 044a8b45 0c83c001 |.M..U.f..J.E....| 0de50
56928 89450ceb cac745f8 00000000 eb098b4d |.E....E........M| 0de60
56944 f883c101 894df883 7df8037d 7166c745 |.....M..}..}qf.E| 0de70
56960 f00000c7 45f40000 0000eb09 8b55f483 |....E........U..| 0de80
56976 c2018955 f4837df4 037d428b 450c660f |...U..}..}B.E.f.| 0de90
56992 be086689 4dfc8b55 0c83c201 89550c8b |..f.M..U.....U..| 0dea0
57008 45f48b4d 080fb714 4181e2ff 0000000f |E..M....A.......| 0deb0
57024 bec20fbf 4dfc0faf c866894d fc0fbf55 |....M....f.M...U| 0dec0
57040 fc0fbf45 f003c266 8945f0eb af8b4df8 |...E...f.E....M.| 0ded0
57056 8b550866 8b45f066 |.U.f.E.f | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
dwwin.333 ACL has 7 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001200a9 -R -X
ACL done...


win.333 ACL has 8 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = SHAUNSPC/Shaun Blankenship S-1-5-21-1647726428--1639091633-826386075-1007
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001200a9 -R -X
ACL done...


Finished Detecting... 

#81 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 July 2004 - 11:13 PM

;) Well done!
You found it!!!
BUT---
You made a mistake...

╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

.......................................................

C:\FINDNFIX\JUNKXXX\
dwwin.333 Mon Aug 11 2003 7:02:36p A.... 1,216,512 1.16 M
win.333 Wed Apr 21 2004 11:14:24p A.... 57,344 56.00 K

--------------------------------------------------------------------
:\findnfix\junkxxx\dwwin.333
--a-- W32i APP ENU 2.0.0.113 shp
1,216,512 08-11-2003 dwwin.333
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName MicroVision Development, Inc.
FileDescription MicroVision DWWIN Library
InternalName dwwin
OriginalFilenam dwwin.dll
ProductName MicroVision DWWIN Library
ProductVersion 2.0.0.113
FileVersion 2, 0, 0, 113
LegalCopyright Copyright ę
1999-2003 MicroVision Development, Inc. All rights reserved.

Why on earth did you move BOTH files?
dwwin.dll is NOT win.dll!
(only win.dll renamed to win.333 was the bad guy!)

http://www.mvd.com/

Find the dwwin file in the junkxxx folder, And rename it FROM:
dwwin.333 TO: dwwin.dll
And put it back in it's original location!
Whether it was System32 folder, or... :scratchhead:

When done, just delete the entire FINDnFIX folder(s)
From C:\ and post fresh hijackthis log.

We'll clean the remnants, if left -then!

P.S.
You really need to spend some time reading
and become more familiar with basic windows functions,
and/or understand how to follow given steps properly!
Identifying single file doesn't require special
computer engineering skills! :mellow:

For your own good, and no offence intended! ;)
Otherwise you are likely to face worse problems than last...
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#82 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 30 July 2004 - 11:35 PM

I thought it was part of the problem also, because it was very similar... I moved it back to System32...

New HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 12:34:33 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\addyp32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ubmbg.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ubmbg.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ubmbg.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ubmbg.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ubmbg.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ubmbg.dll/index.html#26512
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKLM\..\Run: [addyp32.exe] C:\WINDOWS\system32\addyp32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

#83 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 July 2004 - 12:04 AM

You have another cws variant that requires very special steps!

I thought it was part of the problem also,
because it was very *similar...

FIRST, you must be more attentive to steps and not
do what you think
is part of the problem, but follow exactly!
This variant is much more difficult and requires
basic skills, as restarting in Safe mode, disabling Service etc.

Here is an example:
http://forums.spywar...topic=18571&hl=

Though your steps would be different.
If you feel these steps/or similar are beyond what
you're capable of, I'll have someoone
else handle it, as I'm a bit busy.

Start with these steps:
Download and install:
http://p-nand-q.com/...l/pserv-2.3.exe

Don't use it yet. Just install.

Next, Download:
http://www.sysintern.../autoruns.shtml

Run, In the "view" menu, uncheck all entries.
Then, select (check) the "Show Services" and
the "Only show non Microsoft entries".

Be sure both are checked, Go
to "Entry" menu, 'Copy to clipboard' and paste it here, along with
new hijackthis log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#84 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 31 July 2004 - 12:51 AM

Hi, I hope this is what you need; I checked those two things, and unchecked all entries in View.

HKLM\System\CurrentControlSet\Services
+ AOL ACS AOL Connectivity Service America Online, Inc. C:\Program Files\Common Files\AOL\ACS\acsd.exe
+ MCVSRte McAfee VirusScan Online Realtime Engine Networks Associates Technology, Inc c:\Program Files\McAfee.com\VSO\mcvsrte.exe
+ WANMiniportService Wan Miniport (ATW) Service America Online, Inc. C:\WINDOWS\wanmpsvc.exe
+ ŻO.#×éä?§ě┬┤ Ô C:\WINDOWS\SYSTEM32\ieon32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ addyp32.exe C:\WINDOWS\SYSTEM32\addyp32.exe
+ mswspl
+ mswspl C:\WINDOWS\SYSTEM32\addyp32.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ Sonic RecordNow!
+ Sonic RecordNow!
+ SpybotSD TeaTimer C:\Documents and Settings\Shaun Blankenship\Spybot.exe

#85 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 July 2004 - 01:33 AM

Yes!

This is the service you need to disable:

+ ŻO.#ž‚„?§ě┬┤ Ô C:\WINDOWS\SYSTEM32\ieon32.exe

Go to folder options/view:
And set both hidden/protected files as visible!

Restart your computer in safe mode:
Run the other tool you previously downloaded from:
Start> Programs> pserv.cpl >Services and Devices

When the list of services appear, locate the entry:

ŻO.#ž‚„?§ě┬┤ Ô C:\WINDOWS\SYSTEM32\ieon32.exe

RightClick and select -> 'Disable'!

Click 'ok' and close.

Try to locate the following files and delete::

WINDOWS\SYSTEM32\ieon32.exe, addyp32.exe
WINDOWS\javapn.dll,msse.exe, ubmbg.dll
Search for: xptrh.dll< And delete as well.

Some of these files may no longer be there, as
I 'collected' them from your previous posts.
"ieon32.exe" must be found and deleted, first!
*Be sure to identify the right files only, as any mistakes can
get you in worse trouble!

Still in safe mode, run hijackthis and fix checked:
*R1 -, *R0 - Lines - ALL!
*O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll (*might say file missing/no file, etc)
*O4 - HKLM\..\Run: [addyp32.exe] C:\WINDOWS\system32\addyp32.exe


When done, restart in regular mode and
post:
1.) fresh hijackthis log
2.) New scan results from 'AutoRuns' (with same settings)
3.) Details
about the files that were (not)/found/deleted, etc from the list above!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#86 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 31 July 2004 - 01:54 AM

I apologize, I forgot to add the HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 2:53:50 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ieon32.exe
C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\addyp32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\autoruns\autoruns.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ubmbg.dll/sp.html#26512
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ubmbg.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ubmbg.dll/index.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ubmbg.dll/sp.html#26512
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ubmbg.dll/sp.html#26512
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ubmbg.dll/index.html#26512
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=
O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll
O4 - HKLM\..\Run: [addyp32.exe] C:\WINDOWS\system32\addyp32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

#87 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 July 2004 - 01:59 AM

When done WITH THE STEPS ABOVE, restart in regular mode and
post:
1.)  fresh hijackthis log
2.) New scan results from 'AutoRuns' (with same settings)
3.) Details about the files that were (not)/found/deleted, etc from the list above!


Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#88 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 31 July 2004 - 02:08 AM

One final note:

I may need to wait until tomorrow to perform this, as I need to print out the instructions and I have no printer here that is operational... Also, how do I locate those files to delete? Do I right click Start and use the search feature?

#89 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 31 July 2004 - 02:11 AM

Um, the last HijackThis log was the one asked for previously....

#90 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 July 2004 - 02:21 AM

Also, how do I locate those files to delete? Do I right click Start and use the search feature?


Posted Image Posted Image How to Find a File on your Computer or Hard Drive :scratchhead:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#91 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 31 July 2004 - 09:49 AM

Sorry freeatlast, I have a major problem now... I followed your directions,but when I went into Safe Mode, my computer asks me to click on my username to begin... As I have always been asked that question in Safe Mode I clicked my name... It won't start up, it just keeps saying "logging off" and returning me to that same page. When I restarted to try to begin again normally, it started up on that page instead of my desktop... I can't get my normal operating desktop back... I don't know what has happened to my computer, but it is no longer operational... No matter how many times I restart or tell it to start windows normally in safe mode, it still does this... I guess there is some major glitch somewhere...

#92 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 31 July 2004 - 05:31 PM

If you have disabled the wrong service
and or/deleted the wrong file (as you previously did)
that can be accounted for it.

But--

Yes!

This is the service you need to disable:

+ ŻO.#ž‚„?§ě┬┤ Ô C:\WINDOWS\SYSTEM32\ieon32.exe

Go to folder options/view:
And set both hidden/protected files as visible!

Restart your computer in safe mode:

Which steps did you follow eactly? :scratchhead:

Your best bet is to try:
How to start your computer by using the Last Known Good Configuration feature in Windows XP
And if suucessful don't follow any other steps until you are more familiar with Windows features as the sequence of events in this entire thread unfortunately proves otherwise...

Edited by freeatlast, 31 July 2004 - 05:44 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#93 ChrisB

ChrisB

    Member

  • Full Member
  • Pip
  • 72 posts

Posted 03 August 2004 - 09:33 AM

As my computer was in a totally useless state, I had to get help from someone in person to help... I had to erase my hard drive and begin anew. I also have bought Norton Internet Security software... Is this a good program for protection? Do you have any recommendations? Thanks for all the help, I think I was close to ridding myself of the hijacker..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button