• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Psyke

CWS.Searchx

5 posts in this topic

Hijack Log

 

Logfile of HijackThis v1.97.7

Scan saved at 10:01:51 AM, on 7/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\sstray.exe

C:\WINDOWS\System32\TCAUDIAG.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\system32\deinst_qfe002.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Avant Browser\iexplore.exe

C:\Stuff\Downloads\Spyware tools\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\system32\winproc32.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\deinst_qfe002.exe

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

 

 

FindnFix log

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Sat 24 Jul 04 09:48:32

9:48am up 0 days, 0:18

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove

without attempting to confirm it's nature!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!

If in doubt, always search the file(s) and properties according to criteria!

 

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/21)»»»»»»»»»»»»»»»»

 

»»»*»»»*Use at your own risk!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\RESAG.DLL +++ File read error

\\?\C:\WINDOWS\System32\RESAG.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

RESAG.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

resag.dll Mon Jul 12 2004 3:22:18p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\RESAG.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

¯ Access denied ® ..................... RESAG.DLL .....57344 12.07.2004

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\RESAG.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

resag.dll Mon Jul 12 2004 3:22:18p A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

C:\WINDOWS\SYSTEM32\

openal32.dll Wed Mar 3 2004 1:02:00p A.... 21,504 21.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 21,504 bytes 21.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\RESAG.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\OPENAL32.DLL

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access HOMEPC\Stan

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access HOMEPC\Stan

 

 

»»Member of...: (Admin logon required!)

User is a member of group HOMEPC\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

9:51am up 0 days, 0:21

Sat 24 Jul 04 09:51:07

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-24-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-24-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Sat Jul 24 2004 9:48:30a .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150:#_ck \X7 #_ck

00001190: \X7 #_ck vk | DeviceNotSelecte

000011D0:dTimeout 1 5 ( vk ' t GDIProce

00001210:ssHandleQuota z 9 0 | H | vk P Spooler

00001250: y e s vk 5swapdisk 0

00001290:` vk . TransmissionRetryTimeout vk

000012D0: ' S USERProcessHandleQuotae 0 `

00001310: vk S AppInit_DLLsm 3

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

AppInit_DLLsm

--------------

--------------

$011C0: DeviceNotSelectedTimeout

$01208: GDIProcessHandleQuota

$012B0: TransmissionRetryTimeout

$012E0: USERProcessHandleQuotae

$01330: AppInit_DLLsm

--------------

--------------

No strings found.

 

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : ""

0000 00 00 | ..

Share this post


Link to post
Share on other sites

First, if you are running any active Anti Virus

protection, disable it completely!

 

In hijackthis fix and delete the items I

mentined in your other post, and restart your computer!

 

This will take couple or more steps to fix.(Although won't be all done yet)

Be sure to Follow the next set of steps carefully, in

the exact order specified:

 

1.)

- Open the FINDnFIX\Keys1\ Subfolder And

DoubleClick on the "FIX.bat" file.

-You will get a prompt preparing for auto-restart in 10 seconds.

-Let it restart!

----------------------------------------------------------------------------

2.)

On restart, Go to Start/Search, and find:

"RESAG.DLL" (in System32 folder; as it should be visible)

-When found, RightClick on the "RESAG.DLL" file

And select -> Cut...

Immediately Open this Subfolder:

C:\FINDnFIX\junkxxx <-

RightClick inside it and select -> Paste

hit 'ok' when/if asked on 'read only' file move prompt.

*Be sure the file is now here: \junkxxx\RESAG.DLL

------------------------------------------------------------------------------

3.)

When done, Go back up one level to the main C:\FINDnFIX folder and

Run the -> "RESTORE.bat" file ,

It will run and generate new log (log2.txt)

Post it here.

===================================================

*Note:

Do not change/move around or

tamper with any of the file(s) folder(s) and path

included in the 'FINDnFIX' folder.

Share this post


Link to post
Share on other sites

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Sat 24 Jul 04 10:37:27

10:37am up 0 days, 0:02

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q837009-Q832894-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/21)***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or

the right file was selected...

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

C:\WINDOWS\SYSTEM32\

openal32.dll Wed Mar 3 2004 1:02:00p A.... 21,504 21.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 21,504 bytes 21.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\OPENAL32.DLL

 

»»»*»»» Scanning for moved file... »»»*»»»

 

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!

RightClick on the file/properties/security

and check the "Allow Inheritable permissions from parent..." box.

Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

 

* result\\?\C:\FINDnFIX\junkxxx\RESAG.222

 

 

C:\FINDNFIX\JUNKXXX\

resag.222 Mon Jul 12 2004 3:22:18p A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\RESAG.222

 

**File C:\FINDNFIX\JUNKXXX\RESAG.222

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- RESAG .222 0000E000 15:22.18 12/07/2004

 

--a-- W32i - - - - 57,344 07-12-2004 resag.222

A C:\FINDnFIX\junkxxx\resag.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

RESAG.222 57344 07-12-104 15:22 c185b36f9969d3a6d2122ba7cbc02249

File: <C:\FINDnFIX\junkxxx\resag.222>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\resag.222 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

HOMEPC\Stan:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x HOMEPC\Stan

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HOMEPC\Stan

 

Primary Group: HOMEPC\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x HOMEPC\Stan

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: HOMEPC\Stan

 

Primary Group: HOMEPC\None

 

File "C:\FINDnFIX\junkxxx\resag.222"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x HOMEPC\Stan

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: HOMEPC\Stan

 

Primary Group: HOMEPC\None

 

C:\FINDnFIX\junkxxx\resag.222;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;HOMEPC\Stan:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\resag.222;BUILTIN\Users:RrRaRepX

 

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access HOMEPC\Stan

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access HOMEPC\Stan

 

 

 

00001150:#_ck \X7 #_ck

00001190: \X7 #_ck $ vk | DeviceNotSelecte

000011D0:dTimeout 1 5 ( vk ' t GDIProce

00001210:ssHandleQuota z 9 0 | H | vk P Spooler

00001250: y e s vk 5swapdisk 0

00001290:` vk . TransmissionRetryTimeout vk

000012D0: ' S USERProcessHandleQuotae 0 `

00001310: vk S AppInit_DLLsecte n i n s t a

00001350:l l K B 8 4 0 3 7 4 $ 8 * $ N t U n i n s t a l l K B

00001390:8 4 1 8 7 3 $ 8 * $ N t U n i n s t a l l K B 8 4 2 7

000013D0:7 3 $ 8 ( $ N t U n i n s t a l l Q 3 2 9 0 4 8 $

00001410:8 ( $ N t U n i n s t a l l Q 3 2 9 1 1 5 $ 8

00001450:( $ N t U n i n s t a l l Q 3 2 9 1 7 0 $ 8 ( $ N

00001490:t U n i n s t a l l Q 3 2 9 3 9 0 $ 8 ( $ N t U n i

000014D0:n s t a l l Q 3 2 9 4 4 1 $ 8 ( $ N t U n i n s t a

00001510:l l Q 3 2 9 8 3 4 $ 8 ( $ N t U n i n s t a l l Q 8

00001550:1

 

---------- NEWWIN.TXT

AppInit_DLLsecteÀ

--------------

--------------

$011C0: DeviceNotSelectedTimeout

$01208: GDIProcessHandleQuota

$012B0: TransmissionRetryTimeout

$012E0: USERProcessHandleQuotae

$01330: AppInit_DLLsecte

--------------

--------------

ninstallKB840374$

$NtUninstallKB841873$

$NtUninstallKB842773$

$NtUninstallQ329048$

$NtUninstallQ329115$

$NtUninstallQ329170$

$NtUninstallQ329390$

$NtUninstallQ329441$

$NtUninstallQ329834$

$NtUninstallQ810565$

$NtUninstallQ810833$

$NtUninstallQ811493$

$NtUninstallQ814033$

$NtUninstallQ815021$

$NtUninstallQ817287$

$NtUninstallQ817606$

$NtUninstallQ819696$

$NtUninstallQ828026$

50comupd.exe

Ascd_tmp.ini

aucfg.ini

Blue Lace 16.bmp

bootstat.dat

clock.avi

Coffee Bean.bmp

comsetup.log

Connection Wizard

control.ini

dahotfix.log

desktop.ini

Downloaded Installations

Downloaded Program Files

Driver Cache

DtcInstall.log(

explorer.exe

explorer.scf

FaxSetup.log

FeatherTexture.bmp

Gone Fishing.bmp

Greenstone.bmp

ieuninst.exe

imsins.BAK

imsins.log

Installer

jautoexp.dat

KB821557.log

KB823182.log

KB823559.log

KB824105.log

KB824141.log

KB825119.log

KB826939.log

KB828035.log

KB828741.log

KB835732.log

KB837001.log

KB839643.log

KB839645.log

KB840315.log

KB840374.log

KB841873.log

KB842773.log

LastGood.Tmp

loadhttp.dll

 

d.... 0 Jul 24 9:48 .

d.... 0 Jul 24 9:48 ..

....a 57344 Jul 12 15:22 resag.222

 

3 files found occupying 55296 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

RESAG.222 : crc16=3138 crc32=D5C9FB2E

 

-------- C:\FINDNFIX\JUNKXXX\RESAG.222

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

57,344 bytes 5,734,400 cps

Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-24-:4 09:48|RESAG 222 57344 A 07-12-:4 15:22

.. <dir> 07-24-:4 09:48|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

17299968 bytes available on Drive C: No volume label

 

...File dump...

 

DecAddr +4 +8 +12 © |ASCII Equiv or .| HexAddr

56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30

56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40

56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50

56928 00000000 00000000 00000000 a6f00100 |................| 0de60

56944 01000000 03000000 03000000 88f00100 |................| 0de70

56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80

56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90

56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0

57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0

57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0

57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0

57056 63655365 74757032 |ceSetup2 | 0dee0

 

Detecting...

 

C:\FINDnFIX\junkxxx

resag.222 ACL has 8 ACE(s)

SID = /Everyone S-1-1-0

ACE 0 is an ACCESS_ALLOWED_ACE_TYPE

ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 1 is an ACCESS_ALLOWED_ACE_TYPE

ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 2 is an ACCESS_ALLOWED_ACE_TYPE

ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 3 is an ACCESS_ALLOWED_ACE_TYPE

ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 4 is an ACCESS_ALLOWED_ACE_TYPE

ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = NT AUTHORITY/SYSTEM S-1-5-18

ACE 5 is an ACCESS_ALLOWED_ACE_TYPE

ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = HOMEPC/Stan S-1-5-21-1482476501-261478967-1801674531-1004

ACE 6 is an ACCESS_ALLOWED_ACE_TYPE

ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Users S-1-5-32-545

ACE 7 is an ACCESS_ALLOWED_ACE_TYPE

ACE 7 mask = 0x001200a9 -R -X

ACL done...

 

 

Finished Detecting...

Share this post


Link to post
Share on other sites

Nearly done!

Last step(s):

 

 

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will create a zipped copy of the bad file(s) in the same

folder (named as-- junkxxx.zip) and open your email

client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

(*Please include the link in your mail to the board

that assisted you, so any errors in the process could be traced back!)

 

When done, restart your computer and

Delete and entire 'FINDnFIX' file+Subfolder(s)

From C:\

 

 

For the remaining problems (if any), run any and all

removal tools once again as they should work properly now!

In particular,

Latest CWShredder.exe and fully updated Ad-Aware!

 

Feel free to post follow up hijackthis log when done! ;)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0