Jump to content


Photo

Windows XP Home, Ad Serve, Allaboutsearching


  • Please log in to reply
10 replies to this topic

#1 rockstar

rockstar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 09:08 PM

I have Windows XP Home version and downloaded "something" that has just taken over! My hard drive runs continuously and I noticed that I have a lot of .exe that are suspect: rundll32.exe, javayg32.exe, WToolsA.exe, dmloader204d.exe, MProcessor.exe. I can never shutdown the javayg32 and WToolsA processes in Task Manager. I ran a virus scan with Norton and it found over 118 programs and dll's that were suspect and described them as ad ware. It did find Trojan.ByteVerify. Ran CWShredder and it fixed an IE registry key. Also ran HijackThis (see results below). Also ran Spybot (with updates) and it found a couple of things that I "fixed." Even after all of this, I opened IE and it brought up AllaboutSearching and Ad Serve.

Please help... my PC is unusable!

Logfile of HijackThis v1.97.7
Scan saved at 9:30:40 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\javayg32.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\documents and settings\owner\local settings\temp\Ep.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\documents and settings\owner\local settings\temp\EmKI99.exe
C:\WINDOWS\syssa32.exe
C:\WINDOWS\System32\hpr4svc.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...p://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ircvuozt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ircvuozt.slt\prefs.js)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {F3B83A92-A1D1-BD6C-69DB-EAEF4B4D27B8} - C:\WINDOWS\syshi32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [apiaf.exe] C:\WINDOWS\system32\apiaf.exe
O4 - HKLM\..\Run: [Ep] C:\documents and settings\owner\local settings\temp\Ep.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Mszsh0g.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ROAMHOPE] C:\PROGRA~1\ERRORB~1\RECTSLOW.exe
O4 - HKLM\..\Run: [EmKI99] C:\documents and settings\owner\local settings\temp\EmKI99.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [syssa32.exe] C:\WINDOWS\syssa32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [Jws9RRZpe] hpr4svc.exe
O4 - HKCU\..\Run: [dmloader204d.exe] "C:\WINDOWS\System32\dmloader204d.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: Image Transfer.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O4 - Global Startup: officejet 6100.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Broken Internet access because of LSP provider 'wps.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 July 2004 - 10:53 PM

  • To Remove your peper infection please follow the listed procedure:
  • Please follow the instructions below to remove TargetSoft.inetadpt manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If TargetSoft.inetadpt remains on your system after stepping through the removal instructions, please double-check by stepping through them again. Please notice that inetadpt.dll is a layered socket provider that can break your internet connection if it is removed incorrectly.
    • Download and run LSPFix.
    • Check 'I know what I'm doing'.
    • Select 'inetadpt.dll'.
    • Click the right-pointing arrow.
    • Click 'Finished'.
    • Restart your computer.
    • Delete the following file: %SystemDir%\inetadpt.dll - Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • Due to the number of infections that you have, can you please run through the following procedures and after you have completed them, reboot and post another HijackThis log into this message for further review:
    • Run either of these free online virus scans.
    • Run Ad-Aware with the latest update.
      • Download the latest version of Ad-Aware from here.
      • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
      • Reconfigure Ad-Aware for Full Scan as per the following instructions:
        • Launch the program, and click on the Gear at the top of the start screen.
        • Click the "Scanning" button (On the left side).
        • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
        • Click "Click here to select Drives + folders" and select your installed hard drives.
        • Under Memory & Registry, select all options.
        • Click the "Advanced" button (On the left hand side).
        • Under "Log-file detail", select all options.
        • Click the "Tweak" button (Again, on the left hand side).
        • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
        • "Include additional Ad-aware settings in logfile"
        • "Unload recognized processes during scanning."
      • Under "Cleaning Engine", select the following:
        • "Automatically try to unregister objects prior to deletion."
        • "Let Windows remove files in use after reboot."
      • Click on "Proceed" to save these Preferences.
      • Click on the "Scan Now" button on the left.
      • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
      • Select "Activate in-Depth scan".
    • Close all programs except ad-aware.
    • Click on "Next" in the bottom right corner to start the scan.
    • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
    • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
  • Download the latest version of Spybot from either:
    • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
    • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
    • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
    • Click on "Search for Updates".
    • If any updates are found, place a check mark next to each and click on "Download Updates".
    • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
    • Click on "Search & Destroy" => "Check for Problems".
    • If any problems are found, be sure to click on "Fix Selected Problems".
  • Download, install and run Tojan Hunter (Trial)


#3 rockstar

rockstar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 03 August 2004 - 06:47 PM

Ok, followed the instructions to the letter. Didn't find and Peper files. Ran LSPFix but it didn't list the inetadpt.dll file and I couldn't find the file when I searched the proper directory. I ran the latest McAfee AV scan and deleted any files that it found. Ran Awaware and Spybot full scan per instructions. Whatever it found, I deleted/fixed it. Also ran Trojan Hunter and included the results below. Please note: when I boot up, I noticed the following processes: Mprocessor.exe, EmKI99.exe, RECTSlow.exe, Ep.exe, and javayg32.exe. Mprocessor chews up a lot of cycles but I can shut it down. I can also shut down Ep, EmKI99, and RECTSlow. However, I can't shut down the javayg32.exe.

Trojan Hunter results:
Found possible trojan file: C:\WINDOWS\system32\dmloader204.exe (Suspicious: UPX-packed file in Windows System folder)
Found possible trojan file: C:\WINDOWS\system32\fInst.exe (Suspicious: UPX-packed file in Windows System folder) Warning: Unable to unpack UPX-packed file C:\WINDOWS\system32\javayg32.exe
Found possible trojan file: C:\WINDOWS\system32\javayg32.exe (Suspicious: UPX-packed file in Windows System folder)
Found possible trojan file: C:\WINDOWS\system32\linkinfo373a.exe (Suspicious: UPX-packed file in Windows System folder)
Found possible trojan file: C:\WINDOWS\system32\odfox32666b.exe (Suspicious: UPX-packed file in Windows System folder)

Then, did a final HijackThis scan and am attaching the log file:
Logfile of HijackThis v1.97.7
Scan saved at 7:16:50 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\javayg32.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\WINDOWS\System32\taskmgr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ircvuozt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ircvuozt.slt\prefs.js)
O2 - BHO: (no name) - {856DD269-3836-4D2B-98B7-0669B786E833} - C:\WINDOWS\System32\mibec.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Ep] C:\documents and settings\owner\local settings\temp\Ep.exe
O4 - HKLM\..\Run: [ROAMHOPE] C:\PROGRA~1\ERRORB~1\RECTSLOW.exe
O4 - HKLM\..\Run: [EmKI99] C:\documents and settings\owner\local settings\temp\EmKI99.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [dmloader204d.exe] "C:\WINDOWS\System32\dmloader204d.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: Image Transfer.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O4 - Global Startup: officejet 6100.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I think we are close to getting this cleaned up. Your help and patience is much appreciated.

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 August 2004 - 08:57 PM

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

#5 rockstar

rockstar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 August 2004 - 12:30 PM

I can't get the FindnFix file to self extract to my C drive. I've asked the freeatlast site for help.

Any hints"

Thanks,

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 August 2004 - 01:29 PM

I have run into the same problem - I am waiting for a response from FreeatLast.

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 August 2004 - 02:57 PM

It has been fixed - Please download again.

#8 rockstar

rockstar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 August 2004 - 07:26 PM

Awesome....

Here's the log file:
Wed 04 Aug 04 20:19:10

╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)


Microsoft Windows XP [Version 5.1.2600]
IE version:
6.0.2800.1106 SP1-Q810847-Q818529-Q813951-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353-Q867801

The type of the file system is NTFS.

Wednesday, August 04, 2004 (8/4/2004)
8:19 PM, Eastern Standard Time
8:19pm up 0 days, 10:09


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 8/05)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\SYSTEM32\LOGMD.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGMD.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
LOGMD.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
logmd.dll Tue Jun 29 2004 7:38:12p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\LOGMD.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
» Access denied « ..................... LOGMD.DLL .....57344 29.06.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\LOGMD.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
logmd.dll Tue Jun 29 2004 7:38:12p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\LOGMD.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗


BHO search...

fgrep: can't open input C:\WINDOWS\SYSTEM32\LOGMD.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL


╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\logmd.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINDOWS\System32\logmd.dll

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group YOUR-KYBTG65GXE\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
8:20pm up 0 days, 10:11
Wed 04 Aug 04 20:20:59

A C:\FindnFix\keyback.hiv
--a-- - - - - - 8,192 08-04-2004 keyback.hiv
A C:\FindnFix\keys1\winkey.reg
--a-- - - - - - 319 08-04-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Wed Aug 4 2004 8:19:10p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' n USERProcessHandleQuotan h X
000012D0: vk < oxAppInit_DLLsUDP5 C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ l o g m d . d l l
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
oxAppInit_DLLsUDP5└   C
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuotan
$012EE: oxAppInit_DLLsUDP5
--------------
--------------
C:\WINDOWS\System32\logmd.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="C:\\WINDOWS\\System32\\logmd.dll"

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\logmd.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 6c 00 6f 00 67 00 6d 00 | m.3.2.\.l.o.g.m.
0030 64 00 2e 00 64 00 6c 00 6c 00 00 00 | d...d.l.l...

-----END------
Wed 04 Aug 04 20:21:00


#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 August 2004 - 09:15 AM

This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:
  • Get ready to restart your computer.
  • Open the "FINDnFIX\Keys1" Subfolder!
  • Double Click on the "FIX.bat" file and you will get a prompt preparing for auto-restart in 10 seconds.
  • Allow your computer to restart.
  • After the reboot, go to "Start" => "Search" and find "LOGMD.DLL" (This should be a visible file in the %WINDIR%\system32 folder).
  • Right click on the file and select "Cut".
  • Immediately open C:\FINDnFIX\junkxxx.
  • Right click in this folder and select "Paste" from the menu.
  • If prompted about moving a read only file, just press "OK".
  • Verify that the offending .dll file is now in this directory. e.g. C:\FINDnFIX\junkxxx\LOGMD.DLL.
  • Go back one level to C:\FINDnFIX and double click on the "RESTORE.bat" file to run it.
  • A new log will be generated (log2.txt) - Please post it here.
  • Note:
  • Do not change/move around or tamper with any of the file(s) folder(s) and path included in the 'FINDnFIX' folder.


#10 rockstar

rockstar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 August 2004 - 07:06 PM

Finally got it to work. Had to shutdown all the McAfee programs because I think they were preventing me from pasting the file. McAfee kept telling me the logmd.dll file was a virus.

Anyways, here's the log2.txt file you requested. Thanks for the help... we're almost there.

Sat 07 Aug 04 19:38:47
╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)


Microsoft Windows XP [Version 5.1.2600]
IE version:
6.0.2800.1106 SP1-Q810847-Q818529-Q813951-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353-Q867801

The type of the file system is NTFS.

Saturday, August 07, 2004 (8/7/2004)
7:38 PM, Eastern Standard Time
7:38pm up 0 days, 0:09

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 8/05)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗╗╗(5)╗╗╗╗╗

╗╗╗╗╗(6)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗


BHO search...


Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL


╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\LOGMD.333


C:\FINDNFIX\JUNKXXX\
logmd.333 Tue Jun 29 2004 7:38:12p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\LOGMD.333
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\LOGMD.333
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- LOGMD .333 0000E000 19:38.12 29/06/2004

--a-- W32i - - - - 57,344 06-29-2004 logmd.333
A C:\FINDnFIX\junkxxx\logmd.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
LOGMD.333 57344 06-29-104 19:38 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
LOGMD.333 : crc16=3138 crc32=D5C9FB2E


File: <C:\FINDnFIX\junkxxx\logmd.333>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
(CRC16 : 3138)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
(CRC16 : EEB1)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
(CRC16 : 90A5)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
╗╗Permissions:
C:\FINDnFIX\junkxxx\logmd.333 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
YOUR-KYBTG65GXE\Owner:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-KYBTG65GXE\Owner
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-KYBTG65GXE\Owner

Primary Group: YOUR-KYBTG65GXE\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-KYBTG65GXE\Owner
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-KYBTG65GXE\Owner

Primary Group: YOUR-KYBTG65GXE\None

File "C:\FINDnFIX\junkxxx\logmd.333"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-KYBTG65GXE\Owner
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: YOUR-KYBTG65GXE\Owner

Primary Group: YOUR-KYBTG65GXE\None

C:\FINDnFIX\junkxxx\logmd.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\logmd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\logmd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\logmd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\logmd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\logmd.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\logmd.333;YOUR-KYBTG65GXE\Owner:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\logmd.333;BUILTIN\Users:RrRaRepX[I]



╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: > vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' n USERProcessHandleQuotan h X
000012D0: vk S AppInit_DLLsecte p://installd
00001310:ollars.com/scripts/adware.php?os=%s&mac=%s 6 ' userid=A
00001350:768450784D6480A8316ED486F3B5E1D " [initializations]
00001390:N > main=http://installdollars.com/scripts/adware.php?os
000013D0:=%s&mac=%s " [initializations] N > main=htt
00001410:p://installdollars.com/scripts/adware.php?os=%s&mac=%s 6
00001450:' userid=A768450784D6480A8316ED486F3B5E1D register
00001490:ed=true " [initializations] N > main=http://
000014D0:installdollars.com/scripts/adware.php?os=%s&mac=%s "
00001510:[initializations] N > main=http://installdollars.com/s
00001550:c

---------- NEWWIN.TXT
AppInit_DLLsecte
--------------
--------------
$000BC: initializations
$00124: installdollars
$0018F: A768450784D6480A8316ED486F3B5E1D
$001BC: initializations
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuotan
$012F0: AppInit_DLLsecte
$01308: installdollars
$0134F: A768450784D6480A8316ED486F3B5E1D
$0137D: initializations
$013A8: installdollars
$013E9: initializations
$01414: installdollars
$0145B: A768450784D6480A8316ED486F3B5E1D
$014A5: initializations
$014D0: installdollars
$01511: initializations
$0153C: installdollars
$01583: A768450784D6480A8316ED486F3B5E1D
$015B1: initializations
$015DC: installdollars
$0161D: initializations
$01648: installdollars
$0168F: A768450784D6480A8316ED486F3B5E1D
$016D9: initializations
$01704: installdollars
$01745: initializations
$01770: installdollars
$017B7: A768450784D6480A8316ED486F3B5E1D
$017E5: initializations
$01810: installdollars
$01851: initializations
$0187C: installdollars
$018C3: A768450784D6480A8316ED486F3B5E1D
$0190D: initializations
$01938: installdollars
$01979: initializations
$019A4: installdollars
$019EB: A768450784D6480A8316ED486F3B5E1D
$01A19: initializations
$01A44: installdollars
$01A85: initializations
$01AB0: installdollars
$01AF7: A768450784D6480A8316ED486F3B5E1D
$01B41: initializations
$01B6C: installdollars
$01BAD: initializations
$01BD8: installdollars
$01C1F: A768450784D6480A8316ED486F3B5E1D
$01C4D: initializations
$01C78: installdollars
$01CB9: initializations
$01CE4: installdollars
$01D2B: A768450784D6480A8316ED486F3B5E1D
$01D75: initializations
$01DA0: installdollars
$01DE1: initializations
$01E0C: installdollars
$01E53: A768450784D6480A8316ED486F3B5E1D
$01E81: initializations
$01EAC: installdollars
$01EED: initializations
$01F18: installdollars
$01F5F: A768450784D6480A8316ED486F3B5E1D
$01FA9: initializations
$01FD4: installdollars
--------------
--------------
No strings found.


d.... 0 Aug 4 20:19 .
d.... 0 Aug 4 20:19 ..
....a 57344 Jun 29 19:38 logmd.333

3 files found occupying 55296 bytes

-------- C:\FINDNFIX\JUNKXXX\LOGMD.333
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 477,867 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.12

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 08-04-:4 20:19|LOGMD 333 57344 A 06-29-:4 19:38
.. <dir> 08-04-:4 20:19|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: Volume label: PRESARIO

...File dump...

junkxxx\logmd.333
1 file(s) copied.
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...

C:\FINDnFIX\junkxxx
logmd.333 ACL has 8 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = YOUR-KYBTG65GXE/Owner S-1-5-21--1746115962--675965124-507864588-1003
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001200a9 -R -X
ACL done...


Finished Detecting...
Sat 07 Aug 04 19:52:10
-----END-----


#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 08 August 2004 - 12:32 AM

Please reboot into safe mode - How do I boot into "Safe" mode?

Run HijackThis and delete:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {856DD269-3836-4D2B-98B7-0669B786E833} - C:\WINDOWS\System32\mibec.dll (file missing)
O4 - HKLM\..\Run: [Ep] C:\documents and settings\owner\local settings\temp\Ep.exe
O4 - HKLM\..\Run: [EmKI99] C:\documents and settings\owner\local settings\temp\EmKI99.exe
O4 - HKCU\..\Run: [dmloader204d.exe] "C:\WINDOWS\System32\dmloader204d.exe"
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: Image Transfer.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O4 - Global Startup: officejet 6100.lnk.disabled
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...a...ash/swflash

Then delete the file:
C:\WINDOWS\System32\dmloader204d.exe

Empty the directories (i.e. Delete all contents but not the directory itself):
C:\WINDOWS\TEMP\
C:\documents and settings\owner\local settings\temp\

Still in safe mode ...
Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware from here.
  • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Log-file detail", select all options.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
      • "Include additional Ad-aware settings in logfile"
      • "Unload recognized processes during scanning."
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "Let Windows remove files in use after reboot."
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
    • Select "Activate in-Depth scan".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
REboot, sign in normally and post a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button