• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ferkules

I need my log file cleaned up... Please Help

6 posts in this topic

I'm getting my homepage hijacked and I can't get into Hotmail without the about:about web page taking over.

 

Here is my log file:

 

Logfile of HijackThis v1.98.0

Scan saved at 8:04:31 PM, on 7/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Common Files\FotoNation\EvLstnr.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {D9CFC3DD-F211-4EE0-87A1-E52A8A80B53F} - C:\WINDOWS\System32\hipgnle.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [EVENTLISTENER] C:\Program Files\Common Files\FotoNation\EvLstnr.exe

O4 - HKCU\..\Run: [5-2-125-1] c:\windows\5-2-125-1.exe -m

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Startup: .DS_Store

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Reboot.exe

O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://www.refurbdepot.com/CFIDE/classes/CFJava.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/...trolLite_KR.cab

O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwi...zard3.0.4.3.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/...eAutoLaunch.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O18 - Filter: text/html - {1C3112A9-31FA-4D99-B2FB-4D727D218FC7} - C:\WINDOWS\System32\hipgnle.dll

O18 - Filter: text/plain - {1C3112A9-31FA-4D99-B2FB-4D727D218FC7} - C:\WINDOWS\System32\hipgnle.dll

Share this post


Link to post
Share on other sites

Please do the following:

 

Download the program FindNFix from the following location:

 

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

 

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

 

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

 

Copy the contents of that file into a reply to this post.

Share this post


Link to post
Share on other sites

Here's the log....

 

 

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Wed 28 Jul 04 21:16:21

9:16pm up 0 days, 0:08

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove

without attempting to confirm it's nature!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!

If in doubt, always search the file(s) and properties according to criteria!

 

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/29)»»»»»»»»»»»»»»»»

 

»»»*»»»*Use at your own risk!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

C:\WINDOWS\System32\MSFD.DLL +++ File read error

\\?\C:\WINDOWS\System32\MSFD.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

MSFD.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINDOWS\SYSTEM32\

msfd.dll Sun Jun 20 2004 1:09:28a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\MSFD.DLL

SNiF 1.34 statistics

 

Matching files : 1 Amount in bytes : 57344

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»»»»(*5*)»»»»»

¯ Access denied ® ..................... MSFD.DLL .....57344 20.06.2004

 

»»»»»(*6*)»»»»»

fgrep: can't open input C:\WINDOWS\SYSTEM32\MSFD.DLL

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

C:\WINDOWS\SYSTEM32\

msfd.dll Sun Jun 20 2004 1:09:28a A...R 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\MSFD.DLL

SNiF 1.34 statistics

 

Matching files : 1 Amount in bytes : 57344

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group USER-B8P8HF7208\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

9:18pm up 0 days, 0:11

Wed 28 Jul 04 21:18:55

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-28-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-28-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Wed Jul 28 2004 9:16:20p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: vk : f AppInit_DLLs G

00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ m s f d . d l l m

000011D0: h vk UDeviceNotSelectedTimeout 1 5

00001210: P 9 0 vk ' zGDIProcessHandle

00001250:Quota" vk x Spooler2 y e s _ h

00001290: ( X vk 5swapdisk vk

000012D0: . TransmissionRetryTimeout h ( X

00001310: vk ' R USERProcessHandleQuota\

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æGÀÿÿÿC

--------------

--------------

$01180: AppInit_DLLs

$011EF: UDeviceNotSelectedTimeout

$0123F: zGDIProcessHandleQuota

$012D8: TransmissionRetryTimeout

$01328: USERProcessHandleQuota

--------------

--------------

svchost.exe

C:\WINDOWS\System32\msfd.dll

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : "C:\WINDOWS\System32\msfd.dll"

0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.

0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.

0020 6d 00 33 00 32 00 5c 00 6d 00 73 00 66 00 64 00 | m.3.2.\.m.s.f.d.

0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...

Share this post


Link to post
Share on other sites

Now that we know what the offending file is, we can move to the next step.

 

Please open the FindNFix folder which can be found at c:\findnfix.

 

Inside that folder will be another folder called keys1. Please double-click on that folder.

 

When that folder opens you will see a file called Fix.bat. Double-click on that file to start it.

 

You will get an alert that your computer will reboot in about 15 seconds. Allow the computer to reboot.

 

When the computer has rebooted and you are at the desktop. Click on the Start menu and select Search. You want to find the file C:\WINDOWS\System32\msfd.dll.

 

When the file is found, select the C:\WINDOWS\System32\msfd.dll file by clicking on it once so it becomes highlighted. Then click on the Edit menu and select the "Move to Folder" option. Scroll down until you see the C: drive and expand, by clicking on the plus sign, that directory, and then expand the FindNFix directory. You should then see under the C:\FindNFix directory a directory called junkxxx. Select that as the final destination and click on the Move button. If you get a warning about the file being read-only, allow it to be moved anyway.

 

When that is completed, open up the c:\findnfix folder again and double-click on the RESTORE.bat file.

 

When it is finished, open the c:\findnfix folder again and double click on the Log1.txt file found there. This will open up notepad. Please post all of the contents of the notepad that opens in a reply to this topic.

Share this post


Link to post
Share on other sites

Here it is...

 

 

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Wed 28 Jul 04 21:38:31

9:38pm up 0 days, 0:08

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/29)***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or

the right file was selected...

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»»»»(5)»»»»»

 

»»»»»(6)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»»*»»» Scanning for moved file... »»»*»»»

 

* result\\?\C:\FINDnFIX\junkxxx\MSFD.333

 

 

C:\FINDNFIX\JUNKXXX\

msfd.333 Sun Jun 20 2004 1:09:28a A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\MSFD.333

SNiF 1.34 statistics

 

Matching files : 1 Amount in bytes : 57344

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.*

 

**File C:\FINDNFIX\JUNKXXX\MSFD.333

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

A----- MSFD .333 0000E000 01:09.28 20/06/2004

 

--a-- W32i - - - - 57,344 06-20-2004 msfd.333

A C:\FINDnFIX\junkxxx\msfd.333

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

MSFD.333 57344 06-20-104 01:09 c185b36f9969d3a6d2122ba7cbc02249

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

MSFD.333 : crc16=3138 crc32=D5C9FB2E

 

 

File: <C:\FINDnFIX\junkxxx\msfd.333>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

#######################################################

*Known files are...

--------------------

File: ((56k; (57,344 bytes)

(CRC16 : 3138)

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

--------------------

File: ((35k; (35,840 bytes)

(CRC16 : EEB1)

CRC-32 : 33081C8B

MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE

--------------------

File: ((21k; (21,504 bytes)

(CRC16 : 90A5)

CRC-32 : 2258F59E

MD5 : EFEE2CB3 B342A351 51802356 9637F8E6

#######################################################

»»Permissions:

C:\FINDnFIX\junkxxx\msfd.333 Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

USER-B8P8HF7208\Owner:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x USER-B8P8HF7208\Owner

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: USER-B8P8HF7208\Owner

 

Primary Group: USER-B8P8HF7208\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x USER-B8P8HF7208\Owner

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: USER-B8P8HF7208\Owner

 

Primary Group: USER-B8P8HF7208\None

 

File "C:\FINDnFIX\junkxxx\msfd.333"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x USER-B8P8HF7208\Owner

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: USER-B8P8HF7208\Owner

 

Primary Group: USER-B8P8HF7208\None

 

C:\FINDnFIX\junkxxx\msfd.333;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;USER-B8P8HF7208\Owner:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\msfd.333;BUILTIN\Users:RrRaRepX

 

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' R USERProcessHandleQuota\ h X

000012D0: vk v AppInit_DLLsecte

00001310:

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- NEWWIN.TXT

AppInit_DLLsecte

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuota

$012F0: AppInit_DLLsecte

--------------

--------------

No strings found.

 

 

d.... 0 Jul 28 21:16 .

d.... 0 Jul 28 21:16 ..

....a 57344 Jun 20 1:09 msfd.333

 

3 files found occupying 55296 bytes

 

-------- C:\FINDNFIX\JUNKXXX\MSFD.333

InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2

===============================================================================

57,344 bytes 955,733 cps

Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.06

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-28-:4 21:16|MSFD 333 57344 A 06-20-:4 01:09

.. <dir> 07-28-:4 21:16|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

30036992 bytes available on Drive C: Volume label: Ferkins Dri

 

...File dump...

 

junkxxx\msfd.333

1 file(s) copied.

56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30

56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40

56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50

56928 00000000 00000000 00000000 a6f00100 |................| 0de60

56944 01000000 03000000 03000000 88f00100 |................| 0de70

56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80

56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90

56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0

57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0

57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0

57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0

57056 63655365 74757032 |ceSetup2 | 0dee0

 

Detecting...

C:\FINDnFIX\junkxxx

msfd.333 ACL has 8 ACE(s)

SID = /Everyone S-1-1-0

ACE 0 is an ACCESS_ALLOWED_ACE_TYPE

ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 1 is an ACCESS_ALLOWED_ACE_TYPE

ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 2 is an ACCESS_ALLOWED_ACE_TYPE

ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 3 is an ACCESS_ALLOWED_ACE_TYPE

ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 4 is an ACCESS_ALLOWED_ACE_TYPE

ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = NT AUTHORITY/SYSTEM S-1-5-18

ACE 5 is an ACCESS_ALLOWED_ACE_TYPE

ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = USER-B8P8HF7208/Owner S-1-5-21-861567501-1708537768-1957994488-1003

ACE 6 is an ACCESS_ALLOWED_ACE_TYPE

ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Users S-1-5-32-545

ACE 7 is an ACCESS_ALLOWED_ACE_TYPE

ACE 7 mask = 0x001200a9 -R -X

ACL done...

 

 

Finished Detecting...

Share this post


Link to post
Share on other sites

Please now open the the FindNFix folder again. Then double click on the Files2 folder to open that. Double-click on the ZIPZAP.bat file.

 

It will clean the rest of the infection and make a copy of the bad file in the same folder and name it junkxxx.zip and open your email client with instructions as to what to do.

 

Simply drag the junkxxx.zip file into your email message so it becomes an attachment. Then copy and paste the link to this topic into the body of the message and send the email. This is done so that the program, FindNFix, will be updated with any new information that may be found in your file so that others can benefit from it. If there are problems with this step, please move on with the next steps.

 

When you are done, please delete the entire FindNFix folder.

 

Now download and run CWShredder. You can download the program from the following locations:

 

HijackThis Download Site #1

 

or

 

HijackThis Download Site #2

 

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

 

A tutorial that goes over this process step by step can be found here:

 

How to remove CoolWebSearch with CWShredder

 

When that is completed, please download the latest version of Ad-Aware from the following location:

 

Ad-aware

 

Make sure you update the program before you scan with it. A tutorial on using ad-aware can be found below:

 

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

 

When that is completed post a new hijackthis log

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0