Jump to content


Photo

about:blank hijack


  • Please log in to reply
16 replies to this topic

#1 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 July 2004 - 08:10 PM

I've downloaded ad-aware, spybot, tracks eraser, and hijack this. Everything is also updated. I tried to delete the about:blank lines in hijack this, but the program won't allow me to fix. Can you please help?

Logfile of HijackThis v1.98.0
Scan saved at 8:04:00 PM, on 7/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\storage.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {126A639E-5B13-47F3-99A6-B2C8A8FEE5EA} - C:\WINDOWS\System32\hkpac.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spystuff\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [storage] C:\WINDOWS\System32\storage.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Spystuff\Tracks Eraser Pro\te.exe min
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresear...ia/OTXMedia.dll
O18 - Filter: text/html - {1BA2C9A2-7DCF-48E6-8A1B-A06D65462952} - C:\WINDOWS\System32\hkpac.dll
O18 - Filter: text/plain - {1BA2C9A2-7DCF-48E6-8A1B-A06D65462952} - C:\WINDOWS\System32\hkpac.dll

#2 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 24 July 2004 - 09:48 PM

Hi LJM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {126A639E-5B13-47F3-99A6-B2C8A8FEE5EA} - C:\WINDOWS\System32\hkpac.dll

Download and install APM from:
http://www.diamondcs...ex.php?page=apm

Close all windows except HijackThis and fix the lines above.

In the upper window of APM select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log(C:\WINDOWS\System32\hkpac.dll) Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware to remove the txt and html protocol association.

Run HIjackThis again and pls. post a FRESH log.
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#3 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 July 2004 - 10:19 AM

Thanks for your help. My homepage is still loading with about:blank. Here is the new log:

Logfile of HijackThis v1.98.0
Scan saved at 10:18:12 AM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\WINDOWS\System32\storage.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spystuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E2F408FA-944F-40FB-9AE0-CE0F80AB577D} - C:\WINDOWS\System32\gpjooca.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [storage] C:\WINDOWS\System32\storage.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Spystuff\Tracks Eraser Pro\te.exe min
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresear...ia/OTXMedia.dll
O18 - Filter: text/html - {C4E792C2-9EC2-4B63-A763-D7D8D88296E1} - C:\WINDOWS\System32\gpjooca.dll
O18 - Filter: text/plain - {C4E792C2-9EC2-4B63-A763-D7D8D88296E1} - C:\WINDOWS\System32\gpjooca.dll

#4 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 25 July 2004 - 12:00 PM

Hi LJM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
Make sure all browser and all Windows Explorer windows are closed before fixing

O2 - BHO: (no name) - {E2F408FA-944F-40FB-9AE0-CE0F80AB577D} - C:\WINDOWS\System32\gpjooca.dll

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresear...ia/OTXMedia.dll


O18 - Filter: text/html - {C4E792C2-9EC2-4B63-A763-D7D8D88296E1} - C:\WINDOWS\System32\gpjooca.dll
O18 - Filter: text/plain - {C4E792C2-9EC2-4B63-A763-D7D8D88296E1} - C:\WINDOWS\System32\gpjooca.dll

Then reboot and use AdAware as described :
HERE

Spybot S&D
The download for Spybot S&D is available here: http://www.computerc...s-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems".

Close Spybot S&D, reboot your system .

Then use the Disk Cleanup Utility to empty all your Temp folders.

Then Disable system restore: Instructions here
Reboot

Enable System Restore.

Problems gone?

BTW - go to Windows Update and get ALL critical updates !
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#5 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 July 2004 - 06:57 PM

Thank you Marianna. So far, so good. I have rebooted my pc twice and everything is working fine. I really appreciate your help!!! :D

LJM

#6 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 25 July 2004 - 07:14 PM

Hi LJM

Thanks for your feedback ! Glad we could help !

Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.

Happy Safe Computing !
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#7 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 July 2004 - 09:35 PM

Mariana,

Sorry to say it has re-appeared. Should I just delete the same processes? Here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 9:33:39 PM, on 7/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\WINDOWS\System32\storage.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spystuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {81637E8D-0E0A-4083-AD29-D5021DC53A94} - C:\WINDOWS\System32\ijomaha.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [storage] C:\WINDOWS\System32\storage.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Spystuff\Tracks Eraser Pro\te.exe min
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {CBEE224B-E1EE-42AB-982B-B6A025F374D0} - C:\WINDOWS\System32\ijomaha.dll
O18 - Filter: text/plain - {CBEE224B-E1EE-42AB-982B-B6A025F374D0} - C:\WINDOWS\System32\ijomaha.dll

#8 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 25 July 2004 - 09:42 PM

LJM

Let's try this:

Download and install APM from: http://www.diamondcs...ex.php?page=apm


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {81637E8D-0E0A-4083-AD29-D5021DC53A94} - C:\WINDOWS\System32\ijomaha.dll




Close all windows except HijackThis and fix the lines above.

In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log(C:\WINDOWS\System32\ijomaha.dll)

Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware to remove the txt and html protocol association.

Is it now gone??
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#9 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 July 2004 - 07:51 PM

Here is a new log. The fix works for a few hours then the homepage gets jacked again.

Logfile of HijackThis v1.98.0
Scan saved at 7:49:23 PM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\storage.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\user\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {027C16C0-3D76-494E-B309-861F98B295E1} - C:\WINDOWS\System32\bcfa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spystuff\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [storage] C:\WINDOWS\System32\storage.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Spystuff\Tracks Eraser Pro\te.exe min
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {06B944F5-9F5B-460E-B8A8-5EC95DA31298} - C:\WINDOWS\System32\bcfa.dll
O18 - Filter: text/plain - {06B944F5-9F5B-460E-B8A8-5EC95DA31298} - C:\WINDOWS\System32\bcfa.dll

#10 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 29 July 2004 - 08:15 PM

Hang in there - will get an Expert
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#11 grinler

grinler

    Bleeper

  • Expert
  • PipPipPipPipPip
  • 530 posts

Posted 29 July 2004 - 10:28 PM

Hi all :) Marianna asked me to come over and give a hand.

Please do the following:

Download the program FindNFix from the following location:

http://www10.brinkst...freeatlast/FNF/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.
<b>Lawrence</b>

#12 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 29 July 2004 - 10:41 PM

THANKS Grinler !


I really appreciate !
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#13 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 August 2004 - 03:44 PM

╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2600.0000 Q832894-Q330994-Q823353
The type of the file system is NTFS.
C: is not dirty.

Sun 01 Aug 04 15:38:16
3:38pm up 0 days, 0:27

╗╗╗╗╗╗'Dos devices'...
Location Type Name/Units Attributes
======================================================
XXXX:XXXX CHAR NUL 1000000000000100
02DB:0000 CHAR XMSXXXX0 1010000000000000
0070:0024 CHAR CON 1000000000010011
0070:0036 CHAR AUX 1000000000000000
0070:0048 CHAR PRN 1010100011000000
0070:005A CHAR CLOCK$ 1000000000001000
0070:006C CHAR COM1 1000000000000000
0070:007E CHAR LPT1 1010100011000000
0070:0090 CHAR LPT2 1010100011000000
0070:00A2 CHAR LPT3 1010100011000000
0070:00B4 CHAR COM2 1000000000000000
0070:00C6 CHAR COM3 1000000000000000
0070:00D8 CHAR COM4 1000000000000000
======================================================

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/30)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\COMDC.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMDC.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
COMDC.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
comdc.dll Wed Jul 14 2004 8:00:10a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\COMDC.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
» Access denied « ..................... COMDC.DLL .....57344 14.07.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\COMDC.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
comdc.dll Wed Jul 14 2004 8:00:10a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\COMDC.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group USER-SEAR8Q14WY\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
3:40pm up 0 days, 0:29
Sun 01 Aug 04 15:40:08

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 08-01-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 08-01-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Sun Aug 1 2004 3:31:40p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: ?
00001190: vk < f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ c o m d c .
00001210:d l l vk P UDeviceNotSelectedTimeout
00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' 6 USERProcessHandleQuota6 x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG└   C
--------------
--------------
$011C8: AppInit_DLLs
$01237: UDeviceNotSelectedTimeout
$01287: zGDIProcessHandleQuota
$01320: TransmissionRetryTimeout
$01370: USERProcessHandleQuota6
--------------
--------------
C:\WINDOWS\System32\comdc.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\comdc.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 63 00 6f 00 6d 00 64 00 | m.3.2.\.c.o.m.d.
0030 63 00 2e 00 64 00 6c 00 6c 00 00 00 | c...d.l.l...

------------
Dos mem debug...
Segment Size Owner Type Vectors
=======================================================
020B 02030 IO SYSTEM DATA
040F 00A20 COMMAND PROGRAM 22 23 24 2E
04B2 00070 MSDOS FREE
04BA 003F0 COMMAND ENVIRONMENT
04FA 00320 MSDOS FREE
052D 00840 LMEM PROGRAM
05B2 9A4D0 MSDOS FREE
=======================================================

#14 grinler

grinler

    Bleeper

  • Expert
  • PipPipPipPipPip
  • 530 posts

Posted 01 August 2004 - 05:12 PM

Now that we know what the offending file is, we can move to the next step.

Please open the FindNFix folder which can be found at c:\findnfix.

Inside that folder will be another folder called keys1. Please double-click on that folder.

When that folder opens you will see a file called Fix.bat. Double-click on that file to start it.

You will get an alert that your computer will reboot in about 15 seconds. Allow the computer to reboot.

When the computer has rebooted and you are at the desktop. Click on the Start menu and select Search. You want to find the file C:\WINDOWS\System32\comdc.dll.

When the file is found, select the C:\WINDOWS\System32\comdc.dll file by clicking on it once so it becomes highlighted. Then click on the Edit menu and select the "Move to Folder" option. Scroll down until you see the C: drive and expand, by clicking on the plus sign, that directory, and then expand the FindNFix directory. You should then see under the C:\FindNFix directory a directory called junkxxx. Select that as the final destination and click on the Move button. If you get a warning about the file being read-only, allow it to be moved anyway.

When that is completed, open up the c:\findnfix folder again and double-click on the RESTORE.bat file.

When it is finished, open the c:\findnfix folder again and double click on the Log1.txt file found there. This will open up notepad. Please post all of the contents of the notepad that opens in a reply to this topic.
<b>Lawrence</b>

#15 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 August 2004 - 05:36 PM

╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2600.0000 Q832894-Q330994-Q823353
The type of the file system is NTFS.
C: is not dirty.

Sun 01 Aug 04 15:38:16
3:38pm up 0 days, 0:27

╗╗╗╗╗╗'Dos devices'...
Location Type Name/Units Attributes
======================================================
XXXX:XXXX CHAR NUL 1000000000000100
02DB:0000 CHAR XMSXXXX0 1010000000000000
0070:0024 CHAR CON 1000000000010011
0070:0036 CHAR AUX 1000000000000000
0070:0048 CHAR PRN 1010100011000000
0070:005A CHAR CLOCK$ 1000000000001000
0070:006C CHAR COM1 1000000000000000
0070:007E CHAR LPT1 1010100011000000
0070:0090 CHAR LPT2 1010100011000000
0070:00A2 CHAR LPT3 1010100011000000
0070:00B4 CHAR COM2 1000000000000000
0070:00C6 CHAR COM3 1000000000000000
0070:00D8 CHAR COM4 1000000000000000
======================================================

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/30)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\COMDC.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMDC.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
COMDC.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
comdc.dll Wed Jul 14 2004 8:00:10a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\COMDC.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
» Access denied « ..................... COMDC.DLL .....57344 14.07.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\COMDC.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
comdc.dll Wed Jul 14 2004 8:00:10a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\COMDC.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group USER-SEAR8Q14WY\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
3:40pm up 0 days, 0:29
Sun 01 Aug 04 15:40:08

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 08-01-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 08-01-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Sun Aug 1 2004 3:31:40p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: ?
00001190: vk < f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ c o m d c .
00001210:d l l vk P UDeviceNotSelectedTimeout
00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' 6 USERProcessHandleQuota6 x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG└   C
--------------
--------------
$011C8: AppInit_DLLs
$01237: UDeviceNotSelectedTimeout
$01287: zGDIProcessHandleQuota
$01320: TransmissionRetryTimeout
$01370: USERProcessHandleQuota6
--------------
--------------
C:\WINDOWS\System32\comdc.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\comdc.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 63 00 6f 00 6d 00 64 00 | m.3.2.\.c.o.m.d.
0030 63 00 2e 00 64 00 6c 00 6c 00 00 00 | c...d.l.l...

------------
Dos mem debug...
Segment Size Owner Type Vectors
=======================================================
020B 02030 IO SYSTEM DATA
040F 00A20 COMMAND PROGRAM 22 23 24 2E
04B2 00070 MSDOS FREE
04BA 003F0 COMMAND ENVIRONMENT
04FA 00320 MSDOS FREE
052D 00840 LMEM PROGRAM
05B2 9A4D0 MSDOS FREE
=======================================================

#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 August 2004 - 05:51 PM

Hi there!

Can you open the FINDnFIX folder, locate a file named:
log2.txt
And post it?

Both of your posted logs have same creation time (15:38:16)
which makes me suspect you indeed copied the wrong log... :scratchhead:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 LJM

LJM

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 August 2004 - 06:02 PM

╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗


Sun 01 Aug 04 17:53:16
5:53pm up 0 days, 0:26

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2600.0000 Q832894-Q330994-Q823353
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/30)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(5)╗╗╗╗╗

╗╗╗╗╗(6)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\COMDC.333


C:\FINDNFIX\JUNKXXX\
comdc.333 Wed Jul 14 2004 8:00:10a A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\COMDC.333
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\COMDC.333
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- COMDC .333 0000E000 08:00.10 14/07/2004

--a-- W32i - - - - 57,344 07-14-2004 comdc.333
A C:\FINDnFIX\junkxxx\comdc.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
COMDC.333 57344 07-14-104 08:00 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
COMDC.333 : crc16=3138 crc32=D5C9FB2E


File: <C:\FINDnFIX\junkxxx\comdc.333>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249


#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
(CRC16 : 3138)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
(CRC16 : EEB1)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
(CRC16 : 90A5)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
╗╗Permissions:
C:\FINDnFIX\junkxxx\comdc.333 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
USER-SEAR8Q14WY\user:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x USER-SEAR8Q14WY\user
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: USER-SEAR8Q14WY\user

Primary Group: USER-SEAR8Q14WY\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x USER-SEAR8Q14WY\user
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: USER-SEAR8Q14WY\user

Primary Group: USER-SEAR8Q14WY\None

File "C:\FINDnFIX\junkxxx\comdc.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x USER-SEAR8Q14WY\user
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: USER-SEAR8Q14WY\user

Primary Group: USER-SEAR8Q14WY\None

C:\FINDnFIX\junkxxx\comdc.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\comdc.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\comdc.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\comdc.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\comdc.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\comdc.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\comdc.333;USER-SEAR8Q14WY\user:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\comdc.333;BUILTIN\Users:RrRaRepX[I]



╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' 6 USERProcessHandleQuota6 8
00001310:h vk y AppInit_DLLsecte
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLsecteŞ

--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuota6
$01338: AppInit_DLLsecte
--------------
--------------
No strings found.


d.... 0 Aug 1 15:31 .
d.... 0 Aug 1 15:31 ..
....a 57344 Jul 14 8:00 comdc.333

3 files found occupying 55296 bytes

-------- C:\FINDNFIX\JUNKXXX\COMDC.333
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 819,200 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.07

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 08-01-:4 15:31|COMDC 333 57344 A 07-14-:4 08:00
.. <dir> 08-01-:4 15:31|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...

junkxxx\comdc.333
1 file(s) copied.
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...
C:\FINDnFIX\junkxxx
comdc.333 ACL has 8 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = USER-SEAR8Q14WY/user S-1-5-21-527237240-789336058-1708537768-1003
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001200a9 -R -X
ACL done...

Finished Detecting...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button