Jump to content


Photo

Hijacked by SearchX


  • This topic is locked This topic is locked
12 replies to this topic

#1 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 May 2004 - 03:12 AM

I've got a homepage hijacker called "SearchX" that I cant seem to get rid of. I hope someone in here can help.
I'm running WinXP Pro (I'm the Admin.) so far I have tried "CWSredder", "HijackThis", "Uninstall", and searched this forum.
Below is my HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 3:03:00 AM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\PopUp Killer\PopUpKiller.exe
C:\Documents and Settings\Steve\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ndhgjpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ndhgjpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ndhgjpb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ndhgjpb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ndhgjpb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ndhgjpb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A2592113-9313-4004-9370-A7820F0A4953} - C:\WINDOWS\System32\ndhgjpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: URLBook (HKCU)
O9 - Extra 'Tools' menuitem: URL Address Book (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.co.../cx_tgctlcm.jsp
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.filep...DC_1_0_0_37.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.h...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


Thanks in Advance
SW

#2 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 May 2004 - 07:55 PM

Help

SW

#3 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 May 2004 - 08:22 PM

Does anyone have any idea how I can get rid of SearchX? It's driving me nuts. If I cant figure it out soon I'm going to re-format. I'm open to suggestions.

SW

#4 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 29 May 2004 - 12:36 PM

Does anyone have any idea how I can get rid of SearchX? It's driving me nuts. If I cant figure it out soon I'm going to re-format. I'm open to suggestions.

                                    SW

Hi SadisticWarrior,

I'm sorry for the wait.

If you haven't re-format, I would like to help.

Please get SpybotS&D. You can get it here http://www.zerosrealm.com/scanning.php, and download Ad-Aware 6 from here http://www.lavasoft.de/ . Update them and run both, rebooting after running each one.

After rebooting, run HJT and post a new log.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 May 2004 - 01:06 PM

Download:
>>Find-All.exe<<

Run, follow steps by running the included 'Find-All.cmd' file.
Post the log when done.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 May 2004 - 10:41 AM

I've been using spy-bot and ad-aware for years now. They havent found anything about SearchX. I'll dl "Find All" and see what it comes up with. Thanks for the response.

SW

#7 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 May 2004 - 10:52 AM

This is the output file I got after running "Find-All"

--==***@@@ 'FIND-ALL' VERSION 8.5 -5/29 @@@***==--


Sun May 30 10:44:31 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (18B1:6BC1) - FS:NTFS clusters:4k
Total: 34 628 395 008 [32G] - Free: 19 523 268 608 [18G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe


»»PC uptime:
10:44am up 0 days, 2:27

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WINNNA.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINNNA.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
576 smss.exe
640 csrss.exe Title:
664 winlogon.exe Title: NetDDE Agent
736 services.exe Svcs: Eventlog,PlugPlay
748 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
964 ati2evxx.exe Svcs: Ati HotKey Poller
1020 svchost.exe Svcs: RpcSs
1148 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sched
le,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W3
Time,winmgmt
1244 svchost.exe Svcs: Dnscache
1264 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1588 ati2evxx.exe Title: ATI video bios poller client
1684 explorer.exe Title: Program Manager
1808 spoolsv.exe Svcs: Spooler
1912 CCEVTMGR.EXE Svcs: ccEvtMgr
200 ccApp.exe Title: Norton AntiVirus
236 RegTwk.exe Title: Registry Tweak
260 PopUpKiller.exe Title: PopUpKiller
344 GameUtil.exe Title: GameUtil
364 nost_LM.exe Title: Nostromo Loadout Manager - Untitled
692 EM_EXEC.EXE Title: Logitech GetMessage Hook
1384 NAVAPSVC.EXE Svcs: navapsvc
1552 NPROTECT.EXE Svcs: NProtectService
1836 NOPDB.EXE Svcs: Speed Disk service
1084 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
956 ntvdm.exe
2752 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E40B5B32-CE13-4FAC-9F2D-83131D7776B1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E40B5B32-CE13-4FAC-9F2D-83131D7776B1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Group/user settings:


User: [BOX1\Steve], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group BOX1\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BOX1\Steve:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Sun May 30 10:44:40 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Hope it helps
Thanks Again
SW


#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 11:34 AM

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ WINNNA.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 May 2004 - 01:55 PM

Thanks for your help freeatlast. Below is my new log

--==***@@@ 'FIND-ALL' VERSION 8.5 -5/29 @@@***==--


Sun May 30 13:50:09 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (18B1:6BC1) - FS:NTFS clusters:4k
Total: 34 628 395 008 [32G] - Free: 19 520 983 040 [18G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe


»»PC uptime:
1:50pm up 0 days, 0:04

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junkxxx\WINNNA.DLL


»»Tasks (services):
0 System Process
4 System
420 smss.exe
636 csrss.exe Title:
660 winlogon.exe Title: NetDDE Agent
712 services.exe Svcs: Eventlog,PlugPlay
724 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
884 ati2evxx.exe Svcs: Ati HotKey Poller
908 svchost.exe Svcs: RpcSs
1012 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sched
le,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W3
Time,winmgmt
1092 svchost.exe Svcs: Dnscache
1116 svchost.exe Svcs: Alerter,LmHosts,RemoteRegistry,SSDPSRV,WebClient
1428 ati2evxx.exe Title: ATI video bios poller client
1500 spoolsv.exe Svcs: Spooler
1528 CCEVTMGR.EXE Svcs: ccEvtMgr
1536 explorer.exe Title: Program Manager
1772 ccApp.exe Title: Norton AntiVirus
1800 RegTwk.exe Title: Registry Tweak
1816 PopUpKiller.exe Title: PopUpKiller
1836 GameUtil.exe Title: GameUtil
1980 nost_LM.exe Title: Nostromo Loadout Manager - Untitled
200 EM_EXEC.EXE Title: Logitech GetMessage Hook
452 NAVAPSVC.EXE Svcs: navapsvc
480 NPROTECT.EXE Svcs: NProtectService
784 NOPDB.EXE Svcs: Speed Disk service
2256 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2296 ntvdm.exe
2336 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E40B5B32-CE13-4FAC-9F2D-83131D7776B1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E40B5B32-CE13-4FAC-9F2D-83131D7776B1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BOX1\Steve
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access BOX1\Steve




Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Group/user settings:


User: [BOX1\Steve], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group BOX1\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
BOX1\Steve:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\winnna.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BOX1\Steve:F
BUILTIN\Users:R


»»Contents of file(s) in 'junkxxx' folder:
winnna.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 winnna.dll

57344 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junkxxx\winnna.dll>

CRC-32 : D5C9FB2E

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9




Sun May 30 13:50:14 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



Thanks
SW

Edited by SadisticWarrior, 30 May 2004 - 01:56 PM.


#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 May 2004 - 02:59 PM

:D Perfect!
We can wrap up the hijacker following these steps:

Lastly,

Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks ;)

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker downloaded!
Run these tools, have them fix all problems:
*Ad-Aware6:
http://www.lavasoftu...ftware/adaware/

*Updates:
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181

*http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 SadisticWarrior

SadisticWarrior

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 May 2004 - 06:39 PM

That seems to have solved all the problems. Thanks for all your help.

SW

#12 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 30 May 2004 - 07:44 PM

SadisticWarrior,

I'm glad freeatlast was there to help. I was afraid we were going to be too late to help you.

All the best!
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#13 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 08:57 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button