browser hijaked

Discussion in 'adware, spyware & hijack cleaning' started by hellfighter333, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. hellfighter333

    hellfighter333 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    3
    I've ran spybot as well as ad-aware and still I get pop-ups from spywareguard showung my browser being hijacked. This is my log.
    Logfile of HijackThis v1.97.7
    Scan saved at 10:04:40 AM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CasinoOnline\CsRemnd.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Mike\My Documents\set ups\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jifj.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jifj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
    O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SEARCH (HKLM)
    O9 - Extra button: ENTERTAINMENT (HKLM)
    O9 - Extra button: PILLS (HKLM)
    O9 - Extra button: SECURITY (HKLM)
    O9 - Extra button: SEARCH (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O19 - User stylesheet: C:\WINDOWS\win32.bmp (file missing)
     
  2. free@tlast

    free@tlast Spyware Expert

    Joined:
    Jun 15, 2004
    Posts:
    32
    Restart your computer in Safe Mode:

    Find and delete- (if exist)
    Program Files\CasinoOnline< folder
    Program Files\Internet Explorer\IEengine.exe< trojan
    WINDOWS\System32\services< folder
    WINDOWS\win32.exe< virus
    windows\win.exe< trojan

    Get rid of BearShare: full of bundleware!
    Uninstall and delete the
    Program Files\BearShare< folder!

    Run hijackthis and fix checked:
    Rescan again, compare and be sure all
    the pointed lines are gone!

    If so, Download and install:
    "FINDnFIX.exe" from:
    here
    or here

    Run the "!LOG!.bat" file, wait for the final output (log.txt)
    post the results....Along with fresh hijackthis log!
     
  3. hellfighter333

    hellfighter333 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    3
    I did as you suggested. These are the logs for hijackthis and FINDnFIX. What next? Thanx for the help!!
    Logfile of HijackThis v1.97.7
    Scan saved at 1:37:05 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CasinoOnline\CsRemnd.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\BCMSMMSG.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mike\My Documents\set ups\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Mike\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jifj.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jifj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D42CBD11-0528-40EA-95A8-E090ACA6E8EE}: NameServer = 216.163.120.19 216.163.120.21


    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    The type of the file system is NTFS.
    C: is not dirty.

    Wed 06/30/2004
    1:32pm up 0 days, 0:26

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\COMGA.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMGA.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    COMGA.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    comga.dll Wed May 12 2004 9:39:30a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMGA.DLL
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group DELL2400\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Aug 29 2002 4:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\
    notepad.exe Thu Aug 29 2002 4:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x DELL2400\Mike
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: DELL2400\Mike

    Primary Group: DELL2400\None



    »»»»»»Backups created...»»»»»»
    1:33pm up 0 days, 0:28
    Wed 06/30/2004

    A C:\FINDnFIX\winBack.hiv
    --a-- - - - - - 8,192 06-30-2004 winback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 06-30-2004 winkey.reg

    »»Performing 16bit string scan....

    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    Windows
    AppInit
    UDeviceNotSelectedTimeout
    zGDIProcessHandleQuota"
    Spooler2
    5swapdisk
    TransmissionRetryTimeout
    USERProcessHandleQuota3

    **File C:\FINDnFIX\WIN.TXT
    regf       Pugf
    
     
  4. free@tlast

    free@tlast Spyware Expert

    Joined:
    Jun 15, 2004
    Posts:
    32
    Well done!
    Your bad file is positively identified on all counts!
    This will take couple or more steps to fix.
    Be sure to Follow the next set of steps carefully, in
    the exact order specified:


    -Open the FINDnFIX\Keys1 Subfolder!
    - Locate the "MOVEit.bat" file, Right-Click
    on it,select->edit:
    The file will open as text file.
    -Copy and paste the entire hilited line in the following quote box
    (all one line) into the 'MOVEit' file, replacing it's contents:
    Be sure to Replace the text in the file with the command above!


    -Save the file and close.

    *Get ready to restart your computer:
    -In the same folder, DoubleClick on the "FIX.bat" file.
    You will be prompted by popup -Alert to restart in 15 seconds.
    -Allow it to restart the computer!

    -On restart, Navigate to:
    C:\FINDnFIX\ main folder:
    -DoubleClick on the "RESTORE.bat" file.

    It'll run and produce new log. (log1.txt) post it here!
    ===================================
    *Note:
    Some *crippled version(s) of XP would not let you edit .bat files!

    In case of any errors while editing the 'MOVEit' or no
    edit options, etc
    Don't follow the steps above but
    Use the alternate steps in the following quote box:
    If the first set of steps (MOVEit/edit/paste/save, etc)
    was successful, there is no need to follow the alternate steps above!


    Good luck :cool:
     
  5. hellfighter333

    hellfighter333 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    3
    This is the file frome the log from the RESTORE.bat. It appears as though everything worked as planned, but you would know better than me. Is it fixed? I want you to know that you have been a huge help to me!! Thank YOU!


    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Wed 06/30/2004
    9:07pm up 0 days, 0:01

    Microsoft Windows XP [Version 5.1.2600]
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»*»»» Scanning for moved file... »»»*»»»
    * result\\?\C:\junkxxx\COMGA.222


    C:\JUNKXXX\
    comga.222 Wed May 12 2004 9:39:30a A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\JUNKXXX\COMGA.222

    **File C:\JUNKXXX\COMGA.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    move %WinDir%\System32\COMGA.DLL %SystemDrive%\junkxxx\COMGA.DLL




    --a-- W32i - - - - 57,344 05-12-2004 comga.222
    A C:\junkxxx\COMGA.222
    File: <C:\junkxxx\COMGA.222>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    »»Permissions:
    C:\junkxxx\COMGA.222 Everyone:(special access:)

    SYNCHRONIZE
    FILE_EXECUTE

    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F

    Directory "C:\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x DELL2400\Mike
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: DELL2400\Mike

    Primary Group: DELL2400\None

    Directory "C:\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: BUILTIN\Administrators

    File "C:\junkxxx\COMGA.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: DELL2400\Mike

    Primary Group: DELL2400\None


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Aug 29 2002 4:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\
    notepad.exe Thu Aug 29 2002 4:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.


    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC

    ---------- NEWWIN.TXT
    AppInit_DLLsecte
    **File C:\FINDnFIX\NEWWIN.TXT
    Ñ_åàÿÿÿvk  €   5swapdisk h ° ð  X Ðÿÿÿvk  à   . TransmissionRetryTimeoutÐÿÿÿvk  €'   b USERProcessHandleQuota3 àÿÿÿh ° ð  X ˆ Ø Øÿÿÿvk  €   y AppInit_DLLsecte

    **File C:\FINDnFIX\NEWWIN.TXT
    000012F0: 01 00 00 00 01 00 79 00 . 5F 44 4C 4C 73 65 63 74 ......y. _DLLsect
    **File C:\FINDnFIX\NEWWIN.TXT
    Ñ_åàÿÿÿvk  €   5swapdisk h ° ð  X Ðÿÿÿvk  à   . TransmissionRetryTimeoutÐÿÿÿvk  €'   b USERProcessHandleQuota3 àÿÿÿh ° ð  X ˆ Ø Øÿÿÿvk  €   y AppInit_DLLsecte
     
  6. free@tlast

    free@tlast Spyware Expert

    Joined:
    Jun 15, 2004
    Posts:
    32
    Excellent results! ;)

    Last steps:

    -Open the FINDnFIX\Files2< Subfolder:
    Run the -> "ZIPZAP.bat" file.
    It will quickly clean the rest and
    will make a copy of the bad file(s) in the same
    folder (junkxxx.zip) and open your email client with instructions:
    Simply drag and drop the 'junkxxx.zip' file from
    the folder into the mail message and submit
    to the specified addresses! Thanks!

    When done, restart your computer and
    Delete and entire 'FINDnFIX' file+folder(s)
    From C:\, and be sure the C:\junkxxx folder
    was deleted (as part of the cleanup process)


    As for the remains, run any and all
    removal tools once again as they should work properly now!
    In particular,
    CWShredder.exe and fully updated Ad-Aware!

    Feel free to post follow up hijackthis log when done! ;)
     
Thread Status:
Not open for further replies.