Jump to content


Photo

HijackThis Log File


  • Please log in to reply
16 replies to this topic

#1 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 12 June 2004 - 01:21 PM

I was browsing on the web when I was done I closed IE, but then when I opened it again, my homepage had changed to about:blank.

Then I ran Ad-aware and Spybot, but the problem persisted.

After that I downloaded HijackThis, but I didn't understand the log file.

I would really appriciate it if you can help me.

Here is my HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 08:40:01 p.m., on 13/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Archivos de programa\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\ARCHIV~1\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\All Users\Escritorio\Metal Gear\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xrd.best.cd/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÝnculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - C:\WINDOWS\System32\dffbgb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7252.7185416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Edited by soultaker_x, 20 June 2004 - 12:10 PM.


#2 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 13 June 2004 - 08:37 PM

Bump

#3 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 03:34 PM

=== Download and Install Needed Programs ===
Download the following: (freeware)
'Find-All.zip' from:
http://www10.brinkst...last/pvtool.htm

Unzip 'Find-All.zip' to its own folder.


Open the Find-All folder and double click on Find-All.cmd
IMPORTANT!: Before you run this tool please close ALL running programs and ALL Windows except Find-All.

Answer the alerts then sit back and wait a few minutes while the program collects the necessary information.

*Note: If your Antivirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the Find-All folder.
1. Post the contents of Output.txt in this thread.
2. Attach file Windows.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the windows.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#4 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 04:59 PM

Here is the Find All Log and I'm going to put the Windows.txt in another post because I wasn't able to attach it.


--==***@@@ 'FIND-ALL' ╗╗*Original*╗╗ VERSION *10.1 -6/10 @@@***==--

╗╗╗╗╗╗Find-All recent updates:╗╗╗╗╗╗
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view ╗╗Group/user section)


Sun Jun 20 16:45:48 2004 -- ++Results:
╗╗System Info:

Microsoft Windows XP [Versión 5.1.2600]
'Find-All' is running from Drive:
C: "" (311A:1D08) - FS:FAT clusters:32k
Total: 40 006 156 288 [37G] - Free: 9 586 147 328 [8.9G]


╗╗IE version and Service packs:
6.0.2600.0 C:\Archivos de programa\Internet Explorer\Iexplore.exe
--a-- W32i APP ESN 6.0.2600.0 shp 91,136 08-24-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q316059;q319182;Q321232;Q323759;Q328970;Q324929;Q810847;Q813489;Q818529;Q822925
;Q828750;Q824145;Q832894;

╗╗Google:
2.0.111.0 C:\Archivos de programa\google\googletoolbar1.dll
--a-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar1.dll

╗╗UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


╗╗Wmplayer version:
9.0.0.2980 C:\Archivos de programa\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Archivos de programa\Windows Media Player\mplayer2.exe
--a-- W32i APP ESN 6.4.9.1120 shp 4,639 08-24-2001 mplayer2.exe

╗╗M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

╗╗NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe

╗╗ Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ESN 5.1.2600.0 shp 139,776 08-24-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-24-2001 regedt32.exe


╗╗PC uptime:
4:45pm up 0 days, 0:28

╗╗Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WINLF.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINLF.DLL +++ File read error

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Tasks (services):
0 System Process
4 System
340 SMSS.EXE
416 CSRSS.EXE Title:
440 WINLOGON.EXE Title: NetDDE Agent
496 SERVICES.EXE Svcs: Eventlog,PlugPlay
508 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
692 SVCHOST.EXE Svcs: RpcSs
820 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility
,helpsvc,HidServ,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Schedu
l
e,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl
o
admgr,W32Time
980 SVCHOST.EXE Svcs: Dnscache
1008 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1184 EXPLORER.EXE Title: Program Manager
1264 SPOOLSV.EXE Svcs: Spooler
1392 CCEVTMGR.EXE Svcs: ccEvtMgr
1452 HPCDTray.exe Title: HPCDTray_Wnd
1460 Directcd.exe Title: DirectCD
1472 realsched.exe Title: Notification Wnd for RNAdmin
1484 P2P Networking.eP2P Networking UpdateTitle: P2P Networking Update
1492 ccApp.exe Title: Norton AntiVirus
1544 POINT32.EXE Title:
1552 QTTASK.EXE Title: QTPlayer Tray Icon
1560 MsgPlus.exe Title: MPWnd_Hooker
1568 MMTASK.EXE Title: OleMainThreadWndName
1584 CTFMON.EXE Title:
1608 TeaTimer.exe Title:
180 navapsvc.exe Svcs: navapsvc
196 msnmsgr.exe Title:
316 NPROTECT.EXE Svcs: NProtectService
2832 MOZILLA.EXE Title:
924 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3140 ntvdm.exe
3028 msmsgs.exe Title:
3188 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B5EA026-7B06-471A-BEB3-C5E2B893973B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"=""
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Usuarios
(IO) ALLOW Read BUILTIN\Usuarios
(NI) ALLOW Read BUILTIN\Usuarios avanzados
(IO) ALLOW Read BUILTIN\Usuarios avanzados
(NI) ALLOW Full access BUILTIN\Administradores
(IO) ALLOW Full access BUILTIN\Administradores
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administradores
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Usuarios
Read BUILTIN\Usuarios avanzados
Full access BUILTIN\Administradores
Full access NT AUTHORITY\SYSTEM




╗╗Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

╗╗Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

╗╗UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.0 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ESN 5.1.2600.0 shp 22,016 08-24-2001 userinit.exe

╗╗Group/user settings:


User: [EDUARDO\Rosillo], is a member of:

BUILTIN\Administradores
\Everyone

User is a member of group EDUARDO\Ninguno.
User is a member of group \Todos.
User is a member of group BUILTIN\Administradores.
User is a member of group BUILTIN\Usuarios.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Usuarios autentificados.

╗╗ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: No hay mßs archivos.


╗╗File(s) in 'junkxxx' folder:

╗╗Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

╗╗hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 975 07-14-2003 hosts
------
╗╗Rehash:

╗Strings found:

Sun Jun 20 16:47:45 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-20-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-20-2004 findallappinit.reg
A C:\Find-All\winBackup.hiv
A C:\Find-All\Fileslist\modules.txt
A C:\Find-All\Fileslist\services.txt
A C:\Find-All\Fileslist\drivers.txt
A C:\Find-All\Fileslist\windows.txt
A C:\Find-All\Fileslist\copyhosts.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#5 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 05:00 PM

This is the windows.txt file


regf       Pugf hbin  Ę   nk, 0ĚŢ90O─               8 x      0 < äň╝V Windowsť╚■  sk x x    ö     ý
     !
 Ç  !      #
 Ç  #  ?    
     ?   
    ?    
        ě   vk < ě   f¨AppInit_DLLsÍ?ŠG└   C : \ W I N D O W S \ S y s t e m 3 2 \ w i n l f . d l l  ░ đ   vk  P   └UDeviceNotSelectedTimeout­   1 5  _úűˇ­   9 0  ╚ đ   vk  Ç'   zGDIProcessHandleQuota"■Ó   vk  └   ░║Spooler2­   y e s đ   ░  p  Ŕ Ó   vk  Ç   =pswapdiskđ   vk  `   R┐TransmissionRetryTimeoutÓ   ░  p  Ŕ  X đ   vk  Ç'   f8USERProcessHandleQuota˝xx

#6 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 06:35 PM

=== Unlock and Show Hidden dll ===
Download the following: (freeware)
'Salamand.zip' from:
http://www10.brinkst...last/pvtool.htm

Download 'Registrat Lite' from here:
http://www.resplendence.com/reglite

Download the attached 'FixReg.zip'

Unzip 'Salamand.zip' to its own folder.

Install 'Registrar Lite'.

Unzip 'FixReg.zip' to the Desktop.

Now we are going to get rid of the hidden DLL that is causing all the problems.

First we need to make it visible:
Copy and paste this line to reglite's address bar. Then press 'Go':
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Rename the Folder Windows to NotWindows
(the folder is highlighted as a purple folder in the left hand pane of Reglite)

Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\WINLF.DLL < -- delete this line ,
'Apply' and 'ok' to set.

Rename theNotWindows folder back to its original name Windows
Restart your computer.


=== Locate, Move, and Delete Hidden dll ===
Run Salamand.exe.

Using the Menu Items at the top, do the following:
(wherever 'enter' is used, you may cut and paste the bold faced text instead)
a. Left --> Change Drive --> select 'C:'
b. Right --> Change Drive --> select 'C:'
c. Commands --> Create Directory --> enter junk --> press 'OK'
d. Options --> Command Line (be sure it is checked)
e. Commands --> Change Directory --> enter C:\windows\system32 --> press 'OK'
f. Commands --> Find Filesů --> press 'Edit'; in 'Search For' enter WINLF.DLL, Uncheck 'Include subdirectories', press 'OK', press 'Start'; the file will be listed in the lower pane.
g. Press 'Focus'
h. Files --> Move/Rename --> enter c:\junk, press 'OK'
i. Left --> Change Drive --> select 'C:'

Into the narrow command window at the bottom (starts with 'c:\>')
Copy and paste the following command, then press 'Enter'

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f
(you should get 'Processedů' confirmation message)

Copy and paste the following command, then press 'Enter'
attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111
(there should be no confirmation message)

In the left pane:
a. Click on the 'junk' folder
b. Files --> Delete, press 'Yes'


Double Click on the 'FixReg' folder.
Double Click on the 'FixReg.bat' file.
Post the 'last.txt' to this thread.

Open the 'Find-All' folder
Double Click on 'Find-All.bat'
Post the 'output'txt' in this thread.


=== Clean Remaining Infection ===
Please Download CoolWebShredder, from
http://www.merijn.or.../cwshredder.zip
http://www.zerosreal.../CWShredder.zip

Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.

Next:
Download the latest version of Ad-Aware at
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp....dref/index.html

Select 'custom options'.
Select your drive, scan and fix all it finds.

Last:
Post a new HiJackThis log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#7 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 08:51 PM

I couldn't find the FixReg.zip, where can I find it?

#8 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 09:36 PM

Sorry, forgot to attach it, doh!

Name has been changed to FixRegPro,zip but all the rest is the same.

Here it is!

Attached Files


IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#9 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 09:46 PM

Thanks

#10 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 10:08 PM

This is last.txt

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

#11 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 10:19 PM

Output.txt

--==***@@@ 'FIND-ALL' ╗╗*Original*╗╗ VERSION *10.1 -6/10 @@@***==--

╗╗╗╗╗╗Find-All recent updates:╗╗╗╗╗╗
*Size of Windows key
*Winlogon\notify
*UserInit value
*Copy of 'hosts' file and *Loaded Modules (In \FilesList Subfolder)
*Versions of major keys and windows files
*list of active services and drivers (\'FilesList')
*Note:
If using 'Find-All' to clean, be sure to include the link to your
post in the forum!! (I keep recieving files I don't know where they came from...0-0...)
*Note: Reg backup restore will not work if current user
doesn't have 'Admin privileges'! (view ╗╗Group/user section)


Sun Jun 20 22:15:39 2004 -- ++Results:
╗╗System Info:

Microsoft Windows XP [Versión 5.1.2600]
'Find-All' is running from Drive:
C: "" (311A:1D08) - FS:FAT clusters:32k
Total: 40 006 156 288 [37G] - Free: 9 656 827 904 [9.0G]


╗╗IE version and Service packs:
6.0.2600.0 C:\Archivos de programa\Internet Explorer\Iexplore.exe
--a-- W32i APP ESN 6.0.2600.0 shp 91,136 08-24-2001 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q316059;q319182;Q321232;Q323759;Q328970;Q324929;Q810847;Q813489;Q818529;Q822925
;Q828750;Q824145;Q832894;

╗╗Google:
2.0.111.0 C:\Archivos de programa\google\googletoolbar1.dll
--a-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar1.dll

╗╗UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


╗╗Wmplayer version:
9.0.0.2980 C:\Archivos de programa\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1120 C:\Archivos de programa\Windows Media Player\mplayer2.exe
--a-- W32i APP ESN 6.4.9.1120 shp 4,639 08-24-2001 mplayer2.exe

╗╗M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

╗╗NotePad(s) version(s):
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ESN 5.1.2600.0 shp 67,072 08-24-2001 notepad.exe

╗╗ Regedit* version(s):
5.1.2600.0 C:\WINDOWS\regedit.exe
--a-- W32i APP ESN 5.1.2600.0 shp 139,776 08-24-2001 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-24-2001 regedt32.exe


╗╗PC uptime:
10:15pm up 0 days, 0:20

╗╗Locked or 'Suspect' file(s) found...

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Tasks (services):
0 System Process
4 System
340 SMSS.EXE
416 CSRSS.EXE Title:
440 WINLOGON.EXE Title: NetDDE Agent
484 SERVICES.EXE Svcs: Eventlog,PlugPlay
496 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
660 SVCHOST.EXE Svcs: RpcSs
736 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility
,helpsvc,HidServ,lanmanserver,lanmanworkstation,Netman,Nla,RasAuto,RasMan,Schedu
l
e,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upl
o
admgr,W32Time
848 SVCHOST.EXE Svcs: Dnscache
864 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1088 SPOOLSV.EXE Svcs: Spooler
1128 CCEVTMGR.EXE Svcs: ccEvtMgr
1388 EXPLORER.EXE Title: Program Manager
1588 NAVAPSVC.EXE Svcs: navapsvc
1600 NPROTECT.EXE Svcs: NProtectService
1688 HPCDTray.exe Title: HPCDTray_Wnd
1720 Directcd.exe Title: DirectCD
1728 realsched.exe Title: Notification Wnd for RNAdmin
1736 P2P Networking.eP2P Networking UpdateTitle: P2P Networking Update
1744 ccApp.exe Title: Norton AntiVirus
1776 POINT32.EXE Title:
1784 QTTASK.EXE Title: QTPlayer Tray Icon
1792 MsgPlus.exe Title: MPWnd_Hooker
1800 MMTASK.EXE Title: OleMainThreadWndName
1808 CTFMON.EXE Title:
1840 TeaTimer.exe Title:
320 MSNMSGR.EXE Title:
3504 MOZILLA.EXE Title:
3512 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3624 ntvdm.exe
3948 msmsgs.exe Title:
224 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B5EA026-7B06-471A-BEB3-C5E2B893973B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"=""
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Usuarios avanzados
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access EDUARDO\Rosillo
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Usuarios
QWCEN-DS-- BUILTIN\Usuarios avanzados
Full access BUILTIN\Administradores
Full access NT AUTHORITY\SYSTEM
Full access EDUARDO\Rosillo




╗╗Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448+!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

╗╗Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5016

╗╗UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.0 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ESN 5.1.2600.0 shp 22,016 08-24-2001 userinit.exe

╗╗Group/user settings:


User: [EDUARDO\Rosillo], is a member of:

BUILTIN\Administradores
\Everyone

User is a member of group EDUARDO\Ninguno.
User is a member of group \Todos.
User is a member of group BUILTIN\Administradores.
User is a member of group BUILTIN\Usuarios.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Usuarios autentificados.

╗╗ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: No hay mßs archivos.


╗╗File(s) in 'junkxxx' folder:

╗╗Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

╗╗hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 975 07-14-2003 hosts
------
╗╗Rehash:

╗Strings found:

Sun Jun 20 22:16:42 2004 -- ++Find-All backups:
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-20-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-20-2004 findallappinit.reg
A C:\Find-All\winBackup.hiv
A C:\Find-All\Fileslist\modules.txt
A C:\Find-All\Fileslist\services.txt
A C:\Find-All\Fileslist\drivers.txt
A C:\Find-All\Fileslist\windows.txt
A C:\Find-All\Fileslist\copyhosts.txt

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#12 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 10:56 PM

Great, that infection is gone. Please post a new HiJackThis log in this thread so I can review and so any other necessary cleanup.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#13 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2004 - 11:16 PM

Logfile of HijackThis v1.97.7
Scan saved at 11:16:05 p.m., on 20/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Archivos de programa\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe
C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\ARCHIV~1\mozilla.org\Mozilla\Mozilla.exe
C:\ARCHIV~1\MESSEN~1\msmsgs.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xrd.best.cd/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÝnculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7252.7185416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#14 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 11:50 PM

First:
Check the following Items in HiJackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rosillo\CONFIG~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)


Close all open windows except HiJackThis and press 'Fix Checked'


Second:
I recommend that you uninstall P2P Networking through Add/Remove Programs.
If/when asked whether you also want to remove Altnet components, say 'Yes'.

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

Subsequently remove the P2P Networking folder in C:\Windows\System32, if still there.


Third:
You are running an outdated and therefore unsafe version of Internet Explorer.
You NEED to upgrade to IE 6.0 SP1
http://v4.windowsupd.../en/default.asp

(Make sure you get the correct language version for your operating system! ).

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploits.


Last:
Run HiJackThis again and post a new log in this thread for review.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#15 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2004 - 04:08 PM

My computer is running a lot better, here is the HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 04:06:26 p.m., on 21/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe
C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\ARCHIV~1\MESSEN~1\msmsgs.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÝnculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7252.7185416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#16 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 21 June 2004 - 04:33 PM

Almost there, just a little cleanup and we are finished.

Check the following in HiJackTHis:
O2 - BHO: (no name) - {1B5EA026-7B06-471A-BEB3-C5E2B893973B} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsorad...sWebTelecom.cab


Close all open Windows except HiJackThis and press 'Fix CHecked'

You are running an outdated and therefore unsafe version of Internet Explorer.
You NEED to upgrade to IE 6.0 SP1
http://v4.windowsupd.../en/default.asp

(Make sure you get the correct language version for your operating system! ).

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploits.



At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

2. Download and install the following free programs]
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: http://www.staff.uiu...es/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857



Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#17 soultaker_x

soultaker_x

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2004 - 05:30 PM

Thank you very much for your help. Everything is back to normal




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button