BackDoor.Agent.BA About:Blank Spyware

Discussion in 'adware, spyware & hijack cleaning' started by KurtFF8, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    Hi, i recently ran SpyRemover 2.01 and tried to get rid of this before, and that didnt work, and then I downlaoded AVG and scanned and got rid of it ( so i thought) and it didnt get rid of it, it just keeps telling me that "C:\WINDOWS\system32\kbdifgp.dll" is infected

    oh yeah 1 more thing is that I think it deleted my notepad program, anyone know how I can get that back? This is also on my brothers computer so I may post one for his later


    here is my hijackthis log:



    Logfile of HijackThis v1.97.7
    Scan saved at 7:57:09 PM, on 7/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\WINDOWS\winhlp32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpyRemover\Remover.exe
    C:\Documents and Settings\Michael\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {60957B79-840B-428E-A028-6E5A813C4225} - C:\WINDOWS\System32\objmhib.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ComcastHSI (HKLM)
    O9 - Extra button: Support (HKLM)
    O9 - Extra button: Help (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083764093390
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24fd830a040e98ea4c22/netzip/RdxIE601.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    can anyone help me?
     
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
    Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

    Double Click on the FindnFix.exe you downloaded earlier and it will install into its own folder.
    That folder should be C:\FINDnFIX
    Browse to the folder
    Close all other open windows.
    Run (double click on) the !LOG!.bat file

    Have a coffee

    When it's done:
    From the FindnFix folder.
    - Post (paste) the contents of Log.txt in this thread.
    - Attach file Win.txt to the same post. (Please attach, do not paste -- it doesn't format well)
     
  4. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    FindNFix
    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q330994-Q822925-Q824145-Q837009-Q832894-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Tue 07/06/2004
    4:51pm up 0 days, 6:32

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\KBDIFGP.DLL +++ File read error
    \\?\C:\WINDOWS\System32\KBDIFGP.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    KBDIFGP.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    kbdifgp.dll Sat Jul 3 2004 12:09:58a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K


    C:\WINDOWS\SYSTEM32\
    kbdifgp.dll Sat Jul 3 2004 12:09:58a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\KBDIFGP.DLL

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\KBDIFGP.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... KBDIFGP.DLL .....57344 03.07.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 512

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\kbdifgp.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = C:\WINDOWS\System32\kbdifgp.dll
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group YOUR-MB2SWYWKNR\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Sat Jul 3 2004 12:09:46a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Sat Jul 3 2004 12:09:46a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 07-03-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-MB2SWYWKNR\Michael
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: YOUR-MB2SWYWKNR\Michael

    Primary Group: YOUR-MB2SWYWKNR\None



    »»»»»»Backups created...»»»»»»
    4:52pm up 0 days, 6:33
    Tue 07/06/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-06-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 321 07-06-2004 winkey.reg

    »»Performing string scan....
    00001150: vk @ f AppInit_DLLs G
    00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ k b d i f g p . d l
    000011D0:l h vk UDeviceNotSelectedTimeout
    00001210: 1 5 x 9 0 =t vk ' zGDIProce
    00001250:ssHandleQuota" vk Spooler2 y e s _
    00001290: h 0 ` vk 5swapdisk vk
    000012D0: . TransmissionRetryTimeout h 0 `
    00001310: vk ' , USERProcessHandleQuotax
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæG¸ÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\kbdifgp.dll
    yes
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\System32\\kbdifgp.dll"
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710


    **File C:\FINDnFIX\WIN.TXT
    regf
     
  5. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    and the win.txt
     

    Attached Files:

  6. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    ...? hello?
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    You can get a fresh notepad at (link removed - site down) if you are worried about it
    It belongs in c:\windows and in c:\windows\system32

    The real problem file is C:\WINDOWS\System32\KBDIFGP.DLL

    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\winhlp32.exe
    (assuming it's still running)

    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Michael\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {60957B79-840B-428E-A028-6E5A813C4225} - C:\WINDOWS\System32\objmhib.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_42.cab


    -Open the C:\FINDnFIX\keys1 folder
    - Locate the "MOVEit.bat" file, Right-Click on it,and choose edit
    The file will open as text file.
    -Copy and paste the following line in bold (all one line) into the 'MOVEit' file, replacing it's contents:
    (make sure you replace the existing line in the file rather than add to it)

    move %WinDir%\System32\KBDIFGP.DLL %SystemDrive%\junkxxx\KBDIFGP.DLL

    Save the file and close it
    Now run Fix.bat from that folder by double clicking on it
    Your computer will restart at this point - allow it to

    ---------------------
    After the reboot navigate to the C:\FINDnFIX\ folder and run restore.bat
    It'll run and produce new log. (log1.txt) post it here!

    Run the C:\FINDnFIX\Files2\ZIPZAP.bat file by double clicking on it.

    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.

    --------
    At that point post back
     
  8. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    ok heres the new FindNFix log



    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Tue 07/06/2004
    8:34pm up 0 days, 0:02

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q330994-Q822925-Q824145-Q837009-Q832894-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.

    No matches found.

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»*»»» Scanning for moved file... »»»*»»»

    * result\\?\C:\JUNKXXX\KBDIFGP.222


    C:\JUNKXXX\
    kbdifgp.222 Sat Jul 3 2004 12:09:58a A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\JUNKXXX\KBDIFGP.222

    **File C:\JUNKXXX\KBDIFGP.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- KBDIFGP .222 0000E000 00:09.58 03/07/2004

    rem replace this entire line with your given command...



    --a-- W32i - - - - 57,344 07-03-2004 kbdifgp.222
    A C:\junkxxx\KBDIFGP.222
    File: <C:\junkxxx\KBDIFGP.222>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    »»Permissions:
    C:\junkxxx\KBDIFGP.222 Everyone:(special access:)

    SYNCHRONIZE
    FILE_EXECUTE

    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F

    C:\junkxxx\KBDIFGP.222 Everyone:(special access:)

    SYNCHRONIZE
    FILE_EXECUTE

    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F

    Directory "C:\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-MB2SWYWKNR\Michael
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: YOUR-MB2SWYWKNR\Michael

    Primary Group: YOUR-MB2SWYWKNR\None

    Directory "C:\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: NT AUTHORITY\SYSTEM

    File "C:\junkxxx\KBDIFGP.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: YOUR-MB2SWYWKNR\Michael

    Primary Group: YOUR-MB2SWYWKNR\None


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access YOUR-MB2SWYWKNR\Michael
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access YOUR-MB2SWYWKNR\Michael



    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Sat Jul 3 2004 12:09:46a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Sat Jul 3 2004 12:09:46a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 07-03-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    00001150: ;E6 =T {/ ;E6
    00001190: =T {/ ;E6 & vk DeviceNotSelecte
    000011D0:dTimeout 1 5 x vk ' y GDIProce
    00001210:ssHandleQuotacte 9 0 y e vk P dlSpooler
    00001250: y e s =t vk swapdisk 0
    00001290:` vk TransmissionRetryTimeout vk
    000012D0: ' I USERProcessHandleQuota 0 `
    00001310: vk y AppInit_DLLs ' @ & H & H &
    00001350:p & P & X & X & ` & ` & h & h & p & p & x & x & & & & &
    00001390: & & & & & & & & & & & & & & & &
    000013D0: & & & & & & & & & & & & & & & &
    00001410: & & & & & & ( & ( & 0 & 0 & 8 & 8 & @ & @ & H & H &
    00001450:p & P & X & X & ` & ` & h & h & p & p & x & x & & & & &
    00001490: & & & & & & & & & & & & & & & &
    000014D0: & & & & & & & & & & & & & & & &
    00001510: & & & & & & ( & ( & 0 & 0 & 8 & 8 & @ & @ & H & H &
    00001550:p

    ---------- WIN.TXT
    fùAppInit_DLLsÖæG¸ÿÿÿC

    ---------- NEWWIN.TXT
    AppInit_DLLs'
    --------------
    yes
    Files2\xcacls
    C:\junkxxx\*.*
    **File C:\FINDnFIX\NEWWIN.TXT
    **File C:\FINDnFIX\NEWWIN.TXT
    00001330: 01 00 00 00 01 00 79 00 . 5F 44 4C 4C 73 10 27 00 ......y. _DLLs.'.
    **File C:\FINDnFIX\NEWWIN.TXT
    regf       Pugf
     
  9. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    ok, i finished all of the steps
     
  10. KurtFF8

    KurtFF8 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    8
    well it seems like its gone, thanks ALOT you dont know how much you helped! ive been trying to get this off for a few days now, thanks alot
     
  11. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    You can remove the c:\junkxx and the C:\findnfix folders now if you'd like

    To get rid of some possible remnants
    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
     
Thread Status:
Not open for further replies.