Hijacked IE

Discussion in 'adware, spyware & hijack cleaning' started by prjay, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. prjay

    prjay Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    4
    Before running HijackThis I ran adAware and Spybot.

    My IE opens with the About:Blank and I continues to be reset by something
    Each time I run ad-Aware I find miners


    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:28 AM, on 7/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ofps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\pjay.AMITY\Desktop\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

    file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://smbusiness.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {A13CF9D6-CE7C-447A-AF18-E6735ECE1170} -

    C:\WINDOWS\System32\nemak.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} -

    C:\WINDOWS\System32\SZIEBHO.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

    files\google\googletoolbar2.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

    Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application

    Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"

    startup
    O4 - HKLM\..\Run: [OpScheduler] "C:\Program

    Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

    Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

    5.0\Distillr\AcroTray.exe
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program

    Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program

    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program

    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program

    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program

    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program

    files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.Chase.com
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media

    Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -

    http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) -

    http://download.divx.com/player/DivXPlayerInstaller.exe
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) -

    http://cs5b.instantservice.com/jars/customerxsigned33.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.4070138889
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} -

    http://www.qwestdexlive.com/live/ezinit.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -

    http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) -

    http://www.clickloan.com/CAB/PtClickLoan/1,0,0,11/PtClickLoan.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -

    http://www.gamespot.com/KDX22/download/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amity.local
    O17 - HKLM\Software\..\Telephony: DomainName = amity.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amity.local
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\System32\ofps.exe
    C:\WINDOWS\kdx\KHost.exe


    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
    Download FindnFix http://downloads.subratam.org/FINDnFIX.exe

    Run the APM You installed
    In the upper window select explorer.exe
    In the lower window find and rightclick the BHO from the HijackThis log ( C:\WINDOWS\System32\nemak.dll )
    Select Unload DLL and click OK on the prompts that follow.

    Double Click on the FindnFix.exe you downloaded earlier and it will install into its own folder.
    That folder should be C:\FINDnFIX
    Browse to the folder
    Close all other open windows.
    Run (double click on) the !LOG!.bat file

    Have a coffee

    When it's done:
    From the FindnFix folder.
    - Post (paste) the contents of Log.txt in this thread.
    - Attach file Win.txt to the same post. (Please attach, do not paste -- it doesn't format well)


    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PJAY~1.AMI\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {A13CF9D6-CE7C-447A-AF18-E6735ECE1170} - C:\WINDOWS\System32\nemak.dll
    O15 - Trusted Zone: *.Chase.com
     
  3. prjay

    prjay Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    4
    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q810847-Q813951-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Tue 07/06/2004
    5:36pm up 0 days, 4:57

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\SYSTEM32\COMPO.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMPO.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    COMPO.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    compo.dll Thu Jun 24 2004 6:20:42p A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K


    C:\WINDOWS\SYSTEM32\
    compo.dll Thu Jun 24 2004 6:20:42p A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMPO.DLL

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMPO.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... COMPO.DLL .....57344 24.06.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group AMITY\Domain Users.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group AMITY\Domain Admins.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Jun 24 2004 6:20:28p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu Jun 24 2004 6:20:28p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-24-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x AMITY\Phil
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: AMITY\Phil

    Primary Group: AMITY\Domain Users



    »»»»»»Backups created...»»»»»»
    5:37pm up 0 days, 4:58
    Tue 07/06/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-06-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-06-2004 winkey.reg

    »»Performing string scan....
    00001150: ?
    00001190: vk < f AppInit_
    000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ c o m p o .
    00001210:d l l vk P UDeviceNotSelectedTimeout
    00001250: 1 5 @ 9 0 | vk ' zGDIProce
    00001290:ssHandleQuota" vk Spooler2 y e s n
    000012D0: p vk =pswapdisk vk
    00001310: ` R TransmissionRetryTimeout p
    00001350: X vk ' i USERProcessHandleQuotai x
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\compo.dll
    yes
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710


    **File C:\FINDnFIX\WIN.TXT
            Øÿÿÿvk < Ø   fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ c o m p o . d l l  ° Ðÿÿÿvk  P   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @ ðÿÿÿ9 0  ¸| Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þàÿÿÿvk  À   °ºSpooler2ðÿÿÿy e s Èn  °  p * è àÿÿÿvk  €   =pswapdiskÐÿÿÿvk  `   R¿TransmissionRetryTimeoutàÿÿÿ°  p * è  X Ðÿÿÿvk  €'   i USERProcessHandleQuotai x
    
     

    Attached Files:

  4. prjay

    prjay Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    4
    Didn't work because I forgot to end
    C:\WINDOWS\System32\ofps.exe
    C:\WINDOWS\kdx\KHost.exe

    This time I remembered and these are the results. I don't know if I'm there yet or not. Following directions can be tricky when I'm in a hurry.

    Thanks for your help.


    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q810847-Q813951-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Tue 07/06/2004
    6:34pm up 0 days, 0:16

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\SYSTEM32\COMPO.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMPO.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    COMPO.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    compo.dll Thu Jun 24 2004 6:20:42p A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K


    C:\WINDOWS\SYSTEM32\
    compo.dll Thu Jun 24 2004 6:20:42p A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMPO.DLL

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\COMPO.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... COMPO.DLL .....57344 24.06.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group AMITY\Domain Users.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group AMITY\Domain Admins.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Jun 24 2004 6:20:28p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu Jun 24 2004 6:20:28p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-24-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x AMITY\Phil
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: AMITY\Phil

    Primary Group: AMITY\Domain Users



    »»»»»»Backups created...»»»»»»
    6:35pm up 0 days, 0:17
    Tue 07/06/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-06-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-06-2004 winkey.reg

    »»Performing string scan....
    00001150: ?
    00001190: vk < f AppInit_
    000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ c o m p o .
    00001210:d l l vk P UDeviceNotSelectedTimeout
    00001250: 1 5 @ 9 0 | vk ' zGDIProce
    00001290:ssHandleQuota" vk Spooler2 y e s n
    000012D0: p vk =pswapdisk vk
    00001310: ` R TransmissionRetryTimeout p
    00001350: X vk ' i USERProcessHandleQuotai x
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\compo.dll
    yes
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710


    **File C:\FINDnFIX\WIN.TXT
            Øÿÿÿvk < Ø   fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ c o m p o . d l l  ° Ðÿÿÿvk  P   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @ ðÿÿÿ9 0  ¸| Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þàÿÿÿvk  À   °ºSpooler2ðÿÿÿy e s Èn  °  p * è àÿÿÿvk  €   =pswapdiskÐÿÿÿvk  `   R¿TransmissionRetryTimeoutàÿÿÿ°  p * è  X Ðÿÿÿvk  €'   i USERProcessHandleQuotai x
    
     
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    **********************
    This is the file we need to destroy
    C:\WINDOWS\SYSTEM32\COMPO.DLL

    -Open the C:\FINDnFIX\keys1 folder
    - Locate the "MOVEit.bat" file, Right-Click on it,and choose edit
    The file will open as text file.
    -Copy and paste the following line in bold (all one line) into the 'MOVEit' file, replacing it's contents:
    (make sure you replace the existing line in the file rather than add to it)

    move %WinDir%\System32\COMPO.DLL %SystemDrive%\junkxxx\COMPO.DLL

    Save the file and close it
    Now run Fix.bat from that folder by double clicking on it
    Your computer will restart at this point - allow it to

    ---------------------
    After the reboot navigate to the C:\FINDnFIX\ folder and run restore.bat
    It'll run and produce new log. (log1.txt) post it here!

    Run the C:\FINDnFIX\Files2\ZIPZAP.bat file by double clicking on it.

    -----------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.

    --------
    At that point post back
     
  6. prjay

    prjay Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    4
    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Fri 07/09/2004
    12:08am up 0 days, 0:01

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q810847-Q813951-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.

    No matches found.

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»*»»» Scanning for moved file... »»»*»»»



    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    fgrep: no files found for C:\JUNKXXX\*.*


    move %WinDir%\System32\COMPO.DLL
    %SystemDrive%\junkxxx\COMPO.DLL



    File not found - C:\junkxxx\*.*

    »»Permissions:
    There are no more files.

    ERROR: There are no more files.

    Directory "C:\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000009 --o- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x AMITY\Phil
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: AMITY\Phil

    Primary Group: AMITY\Domain Users

    Directory "C:\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
    Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: BUILTIN\Administrators


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Jun 24 2004 6:20:28p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    C:\WINDOWS\SYSTEM32\DLLCACHE\
    notepad.exe Thu Jun 24 2004 6:20:28p A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K
    --a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-24-2004 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft® Windows® Operating System
    ProductVersion 5.1.2600.0
    FileVersion 5.1.2600.0 (xpclient.010817-114:cool:
    LegalCopyright © Microsoft Corporation. All rights reserved.

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050001:0a280000 (5.1:2600.0)
    ProdVer: 00050001:0a280000 (5.1:2600.0)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    00001150: ?
    00001190: vk UDeviceNo
    000011D0:tSelectedTimeout 1 5 @ vk ' z
    00001210:GDIProcessHandleQuota" 9 0 | vk X
    00001250:Spooler2 y e s n vk =pswapdisk
    00001290: 8 h vk ( R TransmissionRetryTimeout
    000012D0: vk ' i USERProcessHandleQuotai 8
    00001310:h vk { AppInit_DLLs
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæGÀÿÿÿC

    ---------- NEWWIN.TXT
    AppInit_DLLsÿÿÿÿ¸
    --------------
    yes
    **File C:\FINDnFIX\NEWWIN.TXT
           
    **File C:\FINDnFIX\NEWWIN.TXT
    00001338: 01 00 00 00 01 00 7B 00 . 5F 44 4C 4C 73 FF FF FF ......{. _DLLsÿÿÿ
    **File C:\FINDnFIX\NEWWIN.TXT
            Ðÿÿÿvk  à   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @  ° Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ¸| àÿÿÿvk  X   °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk  €   =pswapdisk ° ø 8 h * Ðÿÿÿvk  (   R¿TransmissionRetryTimeoutÐÿÿÿvk  €'   i USERProcessHandleQuotai àÿÿÿ° ø 8 h * Ð  Øÿÿÿvk  €   { AppInit_DLLsÿÿÿÿ¸
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Looks ok I think - you could delete the findnfix folder as well as the c:\junkxxx one.

    If it comes back - let me know
     
Thread Status:
Not open for further replies.