Jump to content


Photo

Another hijack victim here....


  • Please log in to reply
1 reply to this topic

#1 quijybo

quijybo

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 June 2004 - 10:08 PM

:techsupport: Similar to many other posters here, I have run latest versions of Spybot and Ad-Aware, then hijackthis, only to have things steadily keep popping up and browser still get hijacked on occasion. Original source was apparently a trojan virus. Referencing likewise posts here, I downloaded FindnFix; here's my !LOG!.BAT file (right after another Spybot/Ad-aware/hijackthis regimen):

Microsoft Windows XP [Version 5.1.2600] The type of the file system is NTFS. C: is not dirty.
Thu 06/24/2004 10:21pm up 0 days, 0:44 »»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»» Files listed in this section (in System32) are not always definitive! Always Double Check and be sure the file pointed doesn't exist!
»»Locked or 'Suspect' file(s) found...
C:\WINDOWS\System32\3WVXVF~1.DLL +++ File read error \\?\C:\WINDOWS\System32\3WVXVF~1.DLL +++ File read error »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»Special 'locked' files scan in 'System32'........ **File C:\FINDnFIX\LIST.TXT HLPPN.DLL Can't Open!
****Filtering files in System32... (-h -s -r...) *** »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
C:\WINDOWS\SYSTEM32\ 3wvxvf~1.dll Fri Jun 11 2004 12:06:02p ..SHR 316,776 309.35 K hlppn.dll Fri Jun 11 2004 12:02:54p A...R 57,344 56.00 K
2 items found: 2 files (1 H/S), 0 directories. Total of file sizes: 374,120 bytes 365.35 K
C:\WINDOWS\SYSTEM32\ 3wvxvf~1.dll Fri Jun 11 2004 12:06:02p ..SHR 316,776 309.35 K
1 item found: 1 file, 0 directories. Total of file sizes: 316,776 bytes 309.35 K
Sniffing.......... Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\3WVXVF~1.DLL Sniffed -> C:\WINDOWS\SYSTEM32\HLPPN.DLL »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»Size of Windows key: (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
»»Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users (ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Full access USER-65YYOKP2AQ\User (ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: Read BUILTIN\Users QWCEN-DS-- BUILTIN\Power Users Full access BUILTIN\Administrators Full access NT AUTHORITY\SYSTEM Full access USER-65YYOKP2AQ\User
»»Member of...: (Admin logon required!) User is a member of group USER-65YYOKP2AQ\None. User is a member of group \Everyone. User is a member of group BUILTIN\Administrators. User is a member of group BUILTIN\Users. User is a member of group \LOCAL. User is a member of group NT AUTHORITY\INTERACTIVE. User is a member of group NT AUTHORITY\Authenticated Users.
»»Dir 'junkxxx' was created with the following permissions... (FAT32=NA) Directory "C:\junkxxx" Permissions: Type Flags Inh. Mask Gen. Std. File Group or User ======= ======== ==== ======== ==== ==== ==== ================ Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM Allow 00000000 t--- 001F01FF ---- DSPO rw+x USER-65YYOKP2AQ\User Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: USER-65YYOKP2AQ\User
Primary Group: USER-65YYOKP2AQ\None

»»»»»»Backups created...»»»»»» 10:22pm up 0 days, 0:44 Thu 06/24/2004
A C:\FINDnFIX\winBackup.hiv --a-- - - - - - 8,192 06-24-2004 winbackup.hiv A C:\FINDnFIX\keys1\winkey.reg --a-- - - - - - 287 06-24-2004 winkey.reg
»»Performing 16bit string scan....
---------- WIN.TXT AppInit_DLLsy REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 "AppInit_DLLs"=""
Windows UDeviceNotSelectedTimeout zGDIProcessHandleQuota" Spooler2 =pswapdisk TransmissionRetryTimeout USERProcessHandleQuota AppInit DLLsy
**File C:\FINDnFIX\WIN.TXT  Ð

Even using the FIX.BAT to reboot, I can't locate either the 3wvxvf~1.dll or hlppn.dll files in the system32 folder. Please help!!

#2 quijybo

quijybo

    Member

  • New Member
  • Pip
  • 2 posts

Posted 25 June 2004 - 03:43 PM

no takers?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button