Backdoor.Trojan

Discussion in 'malware problems & news' started by alanm333, Jul 21, 2004.

Thread Status:
Not open for further replies.
  1. alanm333
    Offline

    alanm333 Registered Member

    Hi

    Please help - My Norton Antivirus tells me constantly about this on my PC but is unable to repair - it refers to
    C:\WINDOWS\System32\loggn.dll
    but I can't access this file as it's in use, and when I look for it in Safe Mode - it's not there!!

    When I look at Windows Task Manager, CPU usage is always at 100% so I suppose that something is clogging up my system, - perhaps it's this?

    Here's my HijackThis log in case it helps.

    Many thanks in advance...

    Logfile of HijackThis v1.97.7
    Scan saved at 08:59:07, on 21/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\Hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.2960069444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{000111E4-0D40-467E-AD05-71A8C26D5AB1}: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{000111E4-0D40-467E-AD05-71A8C26D5AB1}: NameServer = 194.168.4.100 194.168.8.100
  2. Artras
    Offline

    Artras Registered Member

    You may also want to click on the link in my signature for cleaning instructions/applications. I suggest to run 1 or 2 online scans to verify if the file indeed is infected.

    I run the hijackthis log file analyzer and this is the result:
    Use www.google.com to find out more on items not listed here.

    You are using a old version of Hijackthis, please update.

    These items should be removed:

    o16 - dpf: {15b782af-55d8-11d1-b477-006097098764} (macromedia authorware web player control) - http://download.macromedia.com/pub/...are/awswaxf.cab
    o16 - dpf: {166b1bca-3f9c-11cf-8075-444553540000} (shockwave activex control) - http://download.macromedia.com/pub/...director/sw.cab
    o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    o16 - dpf: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (activescan installer class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    o16 - dpf: {9f1c11aa-197b-4942-ba54-47a8489bb47f} (update class) - http://v4.windowsupdate.microsoft.c...7870.2960069444
    o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://download.macromedia.com/pub/...ash/swflash.cab


    These items are verified and safe to keep:
    --------------------------------------------------------------------------------
    \windows\system32\smss.exe
    \windows\system32\winlogon.exe
    \windows\system32\services.exe
    \windows\system32\lsass.exe
    \windows\system32\svchost.exe
    \windows\system32\svchost.exe
    \windows\system32\svchost.exe
    \windows\system32\svchost.exe
    \windows\system32\spoolsv.exe
    \program files\norton antivirus\navapsvc.exe
    \windows\system32\svchost.exe
    \windows\explorer.exe
    \program files\common files\real\update_ob\realsched.exe
    \program files\ipod\bin\ipodservice.exe
    \program files\messenger\msmsgs.exe
    \program files\winzip\wzqkpick.exe
    \program files\spywareguard\sgmain.exe
    \program files\spywareguard\sgbhp.exe
    \windows\system32\wuauclt.exe
    \program files\internet explorer\iexplore.exe
    \documents and settings\owner\desktop\hijack this\hijackthis.exe
    o2 - bho: (no name) - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
    o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\sdhelper.dll
    o2 - bho: nav helper - {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\navshext.dll
    o3 - toolbar: norton antivirus - {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\navshext.dll
    o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system32\msdxm.ocx
    o12 - plugin for .spop: c:\program files\internet explorer\plugins\npdocbox.dll
  3. TonyKlein
    Offline

    TonyKlein Security Expert

  4. alanm333
    Offline

    alanm333 Registered Member

    Thanks alot for the advice - I've deleted the named items as directed and updated my HijackThis - here's the new log - what's next?

    Thanks again.
    Logfile of HijackThis v1.98.0
    Scan saved at 11:45:12, on 21/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Documents and Settings\Owner\Desktop\HijackThis1980hf.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{000111E4-0D40-467E-AD05-71A8C26D5AB1}: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{000111E4-0D40-467E-AD05-71A8C26D5AB1}: NameServer = 194.168.4.100 194.168.8.100
  5. TonyKlein
    Offline

    TonyKlein Security Expert

    If loggn.dll is still there, and resists removal, please do this:

    Click here to download FindnFix.exe (2K/XP only!) by Freeatlast.

    Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program will take a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
  6. alanm333
    Offline

    alanm333 Registered Member

    Here's the FindnFix log....


    »»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Wed 21 Jul 04 12:02:28
    12:02am up 0 days, 0:08

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided should help narrow down the list, and hopefully
    pinpoint the culprit.
    Along with that,registry scan logged at the end should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
    »»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/21)»»»»»»»»»»»»»»»»

    »»»*»»»*Use at your own risk!»»»*»»»*

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\LOGGN.DLL +++ File read error
    \\?\C:\WINDOWS\System32\LOGGN.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    LOGGN.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... LOGGN.DLL .....57344 20.04.2004

    »»»»»(*6*)»»»»»
    fgrep: can't open input C:\WINDOWS\SYSTEM32\LOGGN.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    C:\WINDOWS\SYSTEM32\
    loggn.dll Tue 20 Apr 2004 21:06:28 A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\LOGGN.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access MCMORDIES\Owner
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access MCMORDIES\Owner


    »»Member of...: (Admin logon required!)
    User is a member of group MCMORDIES\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.


    »»»»»»Backups created...»»»»»»
    12:04am up 0 days, 0:11
    Wed 21 Jul 04 12:04:40

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-21-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 268 07-21-2004 winkey.reg
    *Temp backups...
    .
    ..
    keyback2.hi_
    winkey2.re_


    C:\FINDNFIX\
    JUNKXXX Wed 21 Jul 2004 12:02:24 .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: 2? P 2?
    00001190: P 2? E vk DeviceNotSelecte
    000011D0:dTimeout 1 5 procSe vk ' S GDIProce
    00001210:ssHandleQuota o 9 0 ( vk P Spooler
    00001250: y e s & vk swapdisk 0
    00001290:` vk UTransmissionRetryTimeout vk
    000012D0: ' USERProcessHandleQuotace 0 `
    00001310: E z m .j j E P E P u N | F3 E P
    00001350:CNu }  3 ZYYd h C E ' E  w _^[ ]
    00001390: 86= <! U SVW N a m e
    000013D0: d B u M f u f t e
    00001410: e r x , , m m
    00001450:A A H H , , S S
    00001490: h h a a r r e e d
    000014D0: d , , A A P P
    00001510: I I $ $ 3 E } u
    00001550:>j E P E p @ E E E P j
    00001590: E P E U E E U \ E U U M
    000015D0: E U 3 E U D U M

    ---------- WIN.TXT
    --------------
    --------------
    $011C0: DeviceNotSelectedTimeout
    $01208: GDIProcessHandleQuota
    $012AF: UTransmissionRetryTimeout
    $012E0: USERProcessHandleQuotace
    --------------
    --------------
    No strings found.

    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value entry was NOT found!
    
  7. TonyKlein
    Offline

    TonyKlein Security Expert

    Well, that appears to confirm it... I suggest you first temporarily disable your antivirus before we proceed.

    In the FindnFix 'keys1' folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the loggn.dll file (it should be visible now). RightClick on the "loggn.dll" file, and select -> Cut from the menu.

    Immediately Open the C:\FINDnFIX\junkxxx subfolder.
    RightClick inside it and select 'Paste' from the menu; hit 'ok' when/if asked on 'read only' file move prompt.

    - Make sure the file is now indeed in that Junkxxx subfolder

    Open the FINDnFIX folder again and run the "Restore.bat" file.
    It will run and generate a log (log2.txt) .

    Post that log in your reply
  8. alanm333
    Offline

    alanm333 Registered Member

    Many thanks for the help but I ran into problems - when I selected 'cut' as above on the loggn.dll file, it turned pale in colour, as though it had become a displayed hidden file, and when I tried to paste it into the junkxxx folder, I got a message that it couln't be moved as it was in use.
    I'm sure you will likely have a way around this though - here's hoping.

    Cheers
  9. TonyKlein
    Offline

    TonyKlein Security Expert

    Is this XP home or Pro, please?
  10. free@tlast
    Offline

    free@tlast Spyware Expert

    Hi!
    I was asked to jump in since you have unusual symptoms.
    First and top most--
    Disable Norton completely,
    Untill the problem is completely gone, or this won't work
    properly!

    Next, follow these steps in the exact order specified!

    1.) Open the C:\FINDnFIX\Keys1< Subfolder.
    DoubleClick on this file: -> "windr1.reg",
    hit 'yes' on the prompt!

    2.) Restart your computer, and try to move the
    "LOGGN.DLL" file into the C:\FINDnFIX\junkxxx< Subfolder, using any of the following steps:
    -Find it in System32 and attempt to 'cut', and 'paste' into the junkxxx
    Subfolder
    -Or:
    Select it and use the folder's top menu:
    edit> move to folder...
    Browse and expand the junkxxx Subfolder and select it
    as destination.

    3.) When the file is successfully moved, go back to:
    C:\FINDnFIX\Keys1 Subfolder, and DoubleClick on
    the following files in this exact order, hitting 'yes' on the prompt:
    A. *winkey.reg
    B. *winclean.reg

    4.) When done, Go back to the main FINDnFIX folder and run the "Restore.bat" file, and post the new log.

    If you run into any problems, post back details &steps.
    I strongly suspect it's Norton detecting the file and related key, attempting to unload it and incidentally accomplishing the opposite...
  11. alanm333
    Offline

    alanm333 Registered Member

    Hi

    I've completed the above and all went well - here's the new log as requested.........


    »»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

    Thu 22 Jul 04 20:35:23
    8:35pm up 0 days, 0:05

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/21)***»»»»»»»»»»»»»»»»

    This log will confirm if the file was successfully moved, and/or
    the right file was selected...

    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.
    Unknown/hidden files...

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»»»(*6*)»»»»»

    »»»»»»» Search by size...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»*»»» Scanning for moved file... »»»*»»»

    (***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
    RightClick on the file/properties/security
    and check the "Allow Inheritable permissions from parent..." box.
    Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

    * result\\?\C:\FINDnFIX\junkxxx\LOGGN.222


    C:\FINDNFIX\JUNKXXX\
    loggn.222 Tue 20 Apr 2004 21:06:28 A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\FINDNFIX\JUNKXXX\LOGGN.222

    **File C:\FINDNFIX\JUNKXXX\LOGGN.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- LOGGN .222 0000E000 21:06.28 20/04/2004

    --a-- W32i - - - - 57,344 04-20-2004 loggn.222
    A C:\FINDnFIX\junkxxx\loggn.222

    CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
    MD5 Message Digest Algorithm by RSA Data Security, Inc.

    File name Size Date Time MD5 Hash
    ________________________________________________________________________
    LOGGN.222 57344 04-20-104 21:06 c185b36f9969d3a6d2122ba7cbc02249
    File: <C:\FINDnFIX\junkxxx\loggn.222>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    »»Permissions:
    C:\FINDnFIX\junkxxx\loggn.222 Everyone:F
    BUILTIN\Administrators:F
    BUILTIN\Administrators:F
    BUILTIN\Administrators:F
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    MCMORDIES\Owner:F
    BUILTIN\Users:R

    Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x MCMORDIES\Owner
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: MCMORDIES\Owner

    Primary Group: MCMORDIES\None

    Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x MCMORDIES\Owner
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: MCMORDIES\Owner

    Primary Group: MCMORDIES\None

    File "C:\FINDnFIX\junkxxx\loggn.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x MCMORDIES\Owner
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

    Owner: MCMORDIES\Owner

    Primary Group: MCMORDIES\None

    C:\FINDnFIX\junkxxx\loggn.222;Everyone:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;MCMORDIES\Owner:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\loggn.222;BUILTIN\Users:RrRaRepX



    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access MCMORDIES\Owner
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access MCMORDIES\Owner



    00001150: 2? P 2?
    00001190: P 2? vk DeviceNotSelecte
    000011D0:dTimeout 1 5 procSe vk ' S GDIProce
    00001210:ssHandleQuota o 9 0 ( vk P Spooler
    00001250: y e s & vk swapdisk 0
    00001290:` vk UTransmissionRetryTimeout vk
    000012D0: ' USERProcessHandleQuotace 0 `
    00001310: vk AppInit_DLLssmis
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- NEWWIN.TXT
    AppInit_DLLssmisÀ
    --------------
    --------------
    $011C0: DeviceNotSelectedTimeout
    $01208: GDIProcessHandleQuota
    $012AF: UTransmissionRetryTimeout
    $012E0: USERProcessHandleQuotace
    $01330: AppInit_DLLssmis
    --------------
    --------------
    No strings found.


    d.... 0 Jul 21 12:02 .
    d.... 0 Jul 21 12:02 ..
    ....a 57344 Apr 20 21:06 loggn.222

    3 files found occupying 55296 bytes

    CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

    C:\FINDNFIX\JUNKXXX
    LOGGN.222 : crc16=3138 crc32=D5C9FB2E

    -------- C:\FINDNFIX\JUNKXXX\LOGGN.222
    InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
    ===============================================================================
    57,344 bytes 955,733 cps
    Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.06

    VDIR v1.00
    Path: C:\FINDNFIX\JUNKXXX\*.*
    ---------------------------------------+---------------------------------------
    . <dir> 07-21-:4 12:02|LOGGN 222 57344 A 04-20-:4 21:06
    .. <dir> 07-21-:4 12:02|
    ---------------------------------------+---------------------------------------
    3 files totaling 57344 bytes consuming 65024 bytes of disk space.
    21668864 bytes available on Drive C: No volume label

    ...File dump...

    DecAddr +4 +8 +12 (c) |ASCII Equiv or .| HexAddr
    56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
    56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
    56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
    56928 00000000 00000000 00000000 a6f00100 |................| 0de60
    56944 01000000 03000000 03000000 88f00100 |................| 0de70
    56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
    56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
    56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
    57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
    57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
    57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
    57056 63655365 74757032 |ceSetup2 | 0dee0

    Detecting...

    C:\FINDnFIX\junkxxx
    loggn.222 ACL has 8 ACE(s)
    SID = /Everyone S-1-1-0
    ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Administrators S-1-5-32-544
    ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = NT AUTHORITY/SYSTEM S-1-5-18
    ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = MCMORDIES/Owner S-1-5-21-117609710-1343024091-1060284298-1003
    ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
    SID = BUILTIN/Users S-1-5-32-545
    ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
    ACE 7 mask = 0x001200a9 -R -X
    ACL done...


    Finished Detecting... 
  12. free@tlast
    Offline

    free@tlast Spyware Expert

    Whoops, overlooked your reply!
    Well done! :)

    It's nearly over:
    Last step(s):


    -Open the FINDnFIX\Files2< Subfolder:
    Run the -> "ZIPZAP.bat" file.
    It will quickly clean the rest and
    will create a zipped copy of the bad file(s) in the same
    folder (named as-- junkxxx.zip) and open your email
    client with instructions:
    Simply drag and drop the 'junkxxx.zip' file from
    the folder into the mail message and submit
    to the specified addresses! Thanks!

    (*Please include the link in your mail to the board
    that assisted you, so any errors in
    the process could be traced back!)

    When done, restart your computer and
    Delete and entire 'FINDnFIX' file+Subfolder(s)
    From C:\

    For the remaining problems (if any), run any and all
    removal tools once again as they should work properly now!
    In particular,
    Latest CWShredder.exe and fully updated Ad-Aware!

    Feel free to post follow up hijackthis log when done! ;)
Thread Status:
Not open for further replies.