[Solved] Highjacked :(

Discussion in 'adware, spyware & hijack cleaning' started by FireAngel, Jul 8, 2004.

Thread Status:
Not open for further replies.
  1. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    yup.. i'm having the same problem as some of the people here that posted....
    here's my hijackthis log...


    Logfile of HijackThis v1.98.0
    Scan saved at 1:11:09 AM, on 08/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Sysreset\mirc.exe
    C:\Documents and Settings\Administrator\Desktop\System Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {1DCB3CC5-6E6E-4196-A6D7-1DBA2DB8F1A5} - C:\WINNT\system32\fiampg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O18 - Filter: text/html - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll
    O18 - Filter: text/plain - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Re: Highjacked :(

    Hi,

    Tick the following items
    Close all browser windows
    Choose fix checked
    Reboot your computer

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {1DCB3CC5-6E6E-4196-A6D7-1DBA2DB8F1A5} - C:\WINNT\system32\fiampg.dll

    O18 - Filter: text/html - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll
    O18 - Filter: text/plain - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll
     
  3. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    i've tried doing that... it goes away for awhile. .but it comes back.. the .dll file changes it's name.... i've done this about 4 times already. .and everytime it's come back... is there any other way?
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
  5. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    ok... first i used highjackthis and removed the entries.. afterwards i rebooted.. and tried using the sphjfix... but it said it didn't find anything... then i took a shot and tried the other link ... again.. nothing..

    here's my log for now

    Logfile of HijackThis v1.98.0
    Scan saved at 8:58:44 AM, on 08/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Documents and Settings\Administrator\Desktop\System Tools\HijackThis.exe

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



    the problem has seem to have gone away.. but i have a feeling it will be back..
    also.. could u take a look at my processes?? because i've been looking in other posts... and some people said that scvhost.exe is no good.. and a few other processes.. i would like to know... should i get rid of them? and if so. how? thankyou
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    Hi FireAngel,

    To put your mind at ease about the svchost.exe file, see: Microsoft - Description of Svchost.exe in Windows 2000. It is also quite normal to see more than two instances of it running in your Running Processes (I have 3 at the moment myself showing there) :)

    If it was in another location other than the Windows System32 folder, or if it was spelled in any other way, then yes, it would be a bad file. But your svchost.exe file is legitimate. If you ever have any doubts about a file, you can always upload an individual file for a scan at Kaspersky, or get a second opinion with an on-line antivirus scanner from here: Free Services.

    I would like to see you also do a scan with AdAware6 too. The download links and instructions can be found here.

    ____

    It looks like the tools Gavin suggested has cleaned up the CWS infection you had as your log isn't showing any signs of it. We could do a check to make sure the hidden dll is gone. Follow the instructions below carefully:

    Download FINDnFIX.exe (2K/XP only!) by freeatlast, from ~removed link as new version released and the following instructions have changed - snap.

    Double-Click on the FINDnFIX.exe and it will install to a folder called FINDnFIX on your system.

    Open the FINDnFIX folder and double click on !LOG!.bat
    IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FINDnFIX folder.

    The program will generalte a Log.txt file, but this takes a few minutes for it to collect the necessary information.

    When the program is finished running, open the FINDnFIX folder, and find the Log.txt file.
    Post the contents of Log.txt in your next reply.

    Note:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

    Regards,

    snap
     
    Last edited: Jul 10, 2004
  7. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    actually i've ran a few spyware adware programs...
    adware 6.0
    bazooka spyware scanner
    noadware
    registry mechanic
    spybot S&D 1.3
    spyware doctor

    they don't seem to pick up anything.. and they didn't pick up anything when i still had the files on there.. wierd...


    i've gone to that link.. but when i try to download the FINDnFIX.exe 2k/xp only.. it's unavailable... is there another link somewhere else? cuz i tried to google it.. but couldn't find one other than freeatlast...
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    humm...not at the moment, and it does go down. You can try it again in a few hour's and see if it is back up.

    FireAngle, what build of AdAware6 are you using? I just want to be sure you have the most recent build, which is build 6.181 with the most recent Reference Number being : 01R330 07.07.2004

    The tools Gavin gave you may have very well removed the infection completely. :)

    Regards,

    snap
     
  9. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    ok.. i've finally been able to download the FINDnFIX lol here's my log !


    »»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows 2000 [Version 5.00.2195]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q832894-Q330994-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Thu 08/07/2004
    7:25pm up 0 days, 0:03

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINNT\System32\HLPBD.DLL +++ File read error
    \\?\C:\WINNT\System32\HLPBD.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    HLPBD.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINNT\SYSTEM32\
    hlpbd.dll Sun Jul 4 2004 1:45:18a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K


    C:\WINNT\SYSTEM32\
    hlpbd.dll Sun Jul 4 2004 1:45:18a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINNT\SYSTEM32\HLPBD.DLL

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINNT\SYSTEM32\HLPBD.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINNT\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... HLPBD.DLL .....57344 04.07.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group JAMES\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINNT\
    notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 50,960 bytes 49.77 K

    C:\WINNT\SYSTEM32\
    notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 50,960 bytes 49.77 K

    C:\WINNT\SYSTEM32\DLLCACHE\
    notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 50,960 bytes 49.77 K
    --a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-23-2002 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft(R) Windows (R) 2000 Operating System
    ProductVersion 5.00.2140.1
    FileVersion 5.00.2140.1
    LegalCopyright Copyright (C) Microsoft Corp. 1981-1999

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050000:085c0001 (5.0:2140.1)
    ProdVer: 00050000:085c0001 (5.0:2140.1)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: JAMES\None



    »»»»»»Backups created...»»»»»»
    7:25pm up 0 days, 0:04
    Thu 08/07/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-08-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 288 07-08-2004 winkey.reg

    »»Performing string scan....
    00001150: ?
    00001190: P
    000011D0: vk r DeviceNotSelectedTimeout 1 5
    00001210: vk ' " GDIProcessHandleQuota c
    00001250: vk p o Spooler y e s e n vk
    00001290: \ swapdisk vk c TransmissionRetryTimeout
    000012D0: 9 0 vk ' : USERProcessHandleQuotae
    00001310: vk o AppInit_DLLsi n
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:

    ---------- WIN.TXT
    AppInit_DLLsi
    --------------
    --------------
    yes
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"="?"


    **File C:\FINDnFIX\WIN.TXT
            àÿÿÿØ  P € * à  Ðÿÿÿvk     r DeviceNotSelectedTimeoutèÿÿÿ1 5  ˆ Ø  Ðÿÿÿvk  €'   " GDIProcessHandleQuota c àÿÿÿvk  p   o Spooler ðÿÿÿy e s e n àÿÿÿvk  €   \ swapdiskÐÿÿÿvk  Ð   c TransmissionRetryTimeoutðÿÿÿ9 0  ˆ Ðÿÿÿvk  €'   : USERProcessHandleQuotae Øÿÿÿvk €   o AppInit_DLLsi n È ÿÿÿÿ










    i think there's still 1 problem. no?
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    Hi FireAngle,

    Yes, the HLPBD.DLL is the bad dll but before we go any further I want you to go back into the FINDnFIX folder and look for the Win.txt, and "attach" it here in your next reply post (don't copy & paste it, just use the attachement feature in your next reply).

    Then in the keys1 folder, can you tell me if there is a MOVEit.bat file there? Don't do anything with it yet, I just want to see if it is there or not.

    I would also like for you to post your AdAware scan log here too so I can see what it missed.

    Then we'll go onto the next steps.

    Regards,

    snap
     
    Last edited: Jul 8, 2004
  11. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    ok.. i found the win.txt... i've attached it..
    yes.. there is a MOVEit.bat file there...
    and here's my adaware log.



    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :July 8, 2004 7:12:00 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R331 08.07.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    08/07/2004 7:12:00 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 08/07/2004 8:19:31 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:37 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:39 PM
    BasePriority : Normal
    FileSize : 87 KB
    FileVersion : 5.00.2195.6700
    ProductVersion : 5.00.2195.6700
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 23/07/2002 12:00:00 PM
    Last accessed : 08/07/2004 10:24:12 PM
    Last modified : 19/06/2003 7:05:04 PM

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:39 PM
    BasePriority : Normal
    FileSize : 32 KB
    FileVersion : 5.00.2195.6902
    ProductVersion : 5.00.2195.6902
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : LSA Executable and Server DLL (Export Version)
    InternalName : lsasrv.dll and lsass.exe
    OriginalFilename : lsasrv.dll and lsass.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 23/07/2002 12:00:00 PM
    Last accessed : 08/07/2004 10:23:54 PM
    Last modified : 25/02/2004 11:59:07 PM

    #:5 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:42 PM
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 23/07/2002 12:00:00 PM
    Last accessed : 08/07/2004 10:18:44 PM
    Last modified : 23/07/2002 12:00:00 PM

    #:6 [ccsetmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 08/07/2004 8:19:42 PM
    BasePriority : Normal
    FileSize : 229 KB
    FileVersion : 2.1.0.610
    ProductVersion : 2.1.0.610
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Settings Manager Service
    InternalName : ccSetMgr
    OriginalFilename : ccSetMgr.exe
    ProductName : Common Client
    Created on : 27/02/2004 4:14:22 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 10/11/2003 6:30:12 PM

    #:7 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 08/07/2004 8:19:43 PM
    BasePriority : Normal
    FileSize : 249 KB
    FileVersion : 2.1.0.610
    ProductVersion : 2.1.0.610
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Event Manager Service
    InternalName : ccEvtMgr
    OriginalFilename : ccEvtMgr.exe
    ProductName : Common Client
    Created on : 27/02/2004 4:14:22 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 10/11/2003 6:30:04 PM

    #:8 [spoolsv.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:44 PM
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 5.00.2195.6659
    ProductVersion : 5.00.2195.6659
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolss.exe
    OriginalFilename : spoolss.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 26/02/2004 10:03:08 PM
    Last accessed : 08/07/2004 10:24:14 PM
    Last modified : 19/06/2003 7:05:04 PM

    #:9 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 08/07/2004 8:19:44 PM
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 23/07/2002 12:00:00 PM
    Last accessed : 08/07/2004 10:18:44 PM
    Last modified : 23/07/2002 12:00:00 PM

    #:10 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 08/07/2004 8:19:45 PM
    BasePriority : Normal
    FileSize : 155 KB
    FileVersion : 10.00.2
    ProductVersion : 10.00.2
    Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    OriginalFilename : NAVAPSVC.EXE
    ProductName : Norton AntiVirus
    Created on : 15/05/2004 12:39:17 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 23/04/2004 3:04:18 PM

    #:11 [nvsvc32.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:45 PM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 6.14.10.5303
    ProductVersion : 6.14.10.5303
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 53.03
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 53.03
    Created on : 17/11/2003 3:33:00 PM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 17/11/2003 3:33:00 PM

    #:12 [regsvc.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:48 PM
    BasePriority : Normal
    FileSize : 66 KB
    FileVersion : 5.00.2195.6701
    ProductVersion : 5.00.2195.6701
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Remote Registry Service
    InternalName : regsvc
    OriginalFilename : REGSVC.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 27/02/2004 3:34:24 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 19/06/2003 7:05:04 PM

    #:13 [savscan.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 08/07/2004 8:19:48 PM
    BasePriority : Normal
    FileSize : 189 KB
    FileVersion : 9.2.1.14
    ProductVersion : 9.2
    Copyright : Copyright (c) 2003 Symantec Corporation
    CompanyName : Symantec Corporation
    FileDescription : Symantec AntiVirus Scanner
    InternalName : SAVSCAN
    OriginalFilename : SAVSCAN.EXE
    ProductName : Symantec AntiVirus AutoProtect
    Created on : 27/02/2004 4:14:25 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 04/12/2003 11:22:30 PM

    #:14 [mstask.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:49 PM
    BasePriority : Normal
    FileSize : 116 KB
    FileVersion : 4.71.2195.6704
    ProductVersion : 4.71.2195.6704
    Copyright : Copyright (C) Microsoft Corp. 1997
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    OriginalFilename : mstask.exe
    ProductName : Microsoft
    Created on : 27/02/2004 3:34:01 AM
    Last accessed : 08/07/2004 10:23:59 PM
    Last modified : 19/06/2003 7:05:04 PM

    #:15 [symlcsvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
    ThreadCreationTime : 08/07/2004 8:19:49 PM
    BasePriority : Normal
    FileSize : 572 KB
    FileVersion : 1, 8, 48, 77
    ProductVersion : 1, 8, 48, 77
    Copyright : Copyright (C) 2003
    CompanyName : Symantec Corporation
    FileDescription : Symantec Core Component
    InternalName : symlcsvc
    OriginalFilename : symlcsvc.exe
    ProductName : Symantec Core Component
    Created on : 27/02/2004 4:11:12 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 27/02/2004 4:11:12 AM

    #:16 [winmgmt.exe]
    FilePath : C:\WINNT\System32\WBEM\
    ThreadCreationTime : 08/07/2004 8:19:50 PM
    BasePriority : Normal
    FileSize : 192 KB
    FileVersion : 1.50.1085.0100
    ProductVersion : 1.50.1085.0100
    Copyright : Copyright (C) Microsoft Corp. 1995-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Management Instrumentation
    InternalName : WINMGMT
    ProductName : Windows Management Instrumentation
    Created on : 27/02/2004 3:34:55 AM
    Last accessed : 08/07/2004 10:18:42 PM
    Last modified : 19/06/2003 7:05:04 PM

    #:17 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 08/07/2004 8:19:51 PM
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 23/07/2002 12:00:00 PM
    Last accessed : 08/07/2004 10:18:44 PM
    Last modified : 23/07/2002 12:00:00 PM

    #:18 [explorer.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 08/07/2004 8:19:56 PM
    BasePriority : Normal
    FileSize : 237 KB
    FileVersion : 5.00.3700.6690
    ProductVersion : 5.00.3700.6690
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 27/02/2004 3:32:39 AM
    Last accessed : 08/07/2004 10:24:27 PM
    Last modified : 19/06/2003 7:05:04 PM

    #:19 [itouch.exe]
    FilePath : C:\Program Files\Logitech\iTouch\
    ThreadCreationTime : 08/07/2004 8:20:01 PM
    BasePriority : Normal
    FileSize : 872 KB
    FileVersion : 2.21.270
    ProductVersion : 2.21.270
    Copyright : (C) 1998-2003 Logitech. All rights reserved.
    CompanyName : Logitech Inc.
    FileDescription : iTouch Application
    InternalName : iTouch
    OriginalFilename : iTouch.exe
    ProductName : iTouch
    Created on : 27/02/2004 3:57:31 AM
    Last accessed : 08/07/2004 10:18:43 PM
    Last modified : 14/01/2004 8:55:20 PM

    #:20 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 08/07/2004 8:20:01 PM
    BasePriority : Normal
    FileSize : 69 KB
    FileVersion : 2.1.0.610
    ProductVersion : 2.1.0.610
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client User Session
    InternalName : ccApp
    OriginalFilename : ccApp.exe
    ProductName : Common Client
    Created on : 27/02/2004 4:14:22 AM
    Last accessed : 08/07/2004 10:18:43 PM
    Last modified : 10/11/2003 6:30:02 PM

    #:21 [em_exec.exe]
    FilePath : C:\Program Files\Logitech\MouseWare\system\
    ThreadCreationTime : 08/07/2004 8:20:01 PM
    BasePriority : Normal
    FileSize : 37 KB
    FileVersion : 9.79.025
    ProductVersion : 9.79.025
    Copyright : (C) 1987-2003 Logitech. All rights reserved.
    CompanyName : Logitech Inc.
    FileDescription : Logitech Events Handler Application
    InternalName : Em_Exec
    OriginalFilename : Em_Exec.exe
    ProductName : MouseWare
    Created on : 27/02/2004 4:01:05 AM
    Last accessed : 08/07/2004 10:18:43 PM
    Last modified : 08/01/2004 2:50:00 PM

    #:22 [ad-aware.exe]
    FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 08/07/2004 11:03:02 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 08/07/2004 11:01:16 PM
    Last accessed : 08/07/2004 11:03:02 PM
    Last modified : 13/07/2003 1:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0

    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0

    7:14:17 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:02:17:219
    Objects scanned :79722
    Objects identified :0
    Objects ignored :0
    New objects :0
     

    Attached Files:

  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    Ahh good good, that's what I wanted to hear. :) (I must have just got a bad download because I didn't have a MOVEit.bat file this time) But at least you do and that's all that counts! ;)

    Give me a minute to go through the log and I'll post the next step (stay with me now and don't reboot or anything)

    Regards,

    snap
     
  13. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    cool :D btw thanks alot for helping.. everyone in this forum is so nice to help .. good thing i found this forum. .or else i would have formated my computer: \
     
  14. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    Follow this step carefuly:

    Open the FindnFix folder.
    Open the keys1 folder.

    If you should receive an error while trying to edit, see the Note below.

    Locate the MOVEit.bat file, and Right-Click on it and select --> "edit".
    Copy and paste the bolded line below (all of it) into the batch file, replacing the line there.

    move %WinDir%\System32\HLPBD.DLL %SystemDrive%\junkxxx\HLPBD.DLL

    Save the file and close.

    (This next step will cause a restart of your computer)
    While still in the 'keys1 folder', Double-Click on the FIX.bat file.
    You will get an Alert to restart in about 15 seconds.
    Allow it to restart the computer!

    On restart, go to the FindnFix folder again.
    Double-Click on the RESTORE.bat file and let it run.
    When it is finished, it will have created a 'Log1.txt' file in the FINDnFIX folder.
    Find the Log1.txt file, open it, and copy & past its contents here in your next post.


    =====

    Note:
    Occasionally when trying to edit the MOVEit.bat file the following error occurs:
    "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

    If you get that error, then follow these steps instead:
    Open the FindnFix folder.
    Open the keys1 folder.

    Double click on FIX.bat
    You will get an alert of about 15 seconds before reboot. Allow it to reboot!

    On restart, open Explorer and navigate to C:\Windows\System32 folder
    Find the HLPBD.DLL file (it should be visible now)
    Highlight the file and using top menu, click Edit --> Move to folder...
    Select C:\junkxxx as destination.
    Move the file.

    Open the FINDnFIX folder again.
    Double-click on RESTORE.bat
    When it is finished, it will have created a 'Log1.txt' file in the FINDnFIX folder.
    Find the Log1.txt file, open it, and copy & paste its contents here in your next reply.


    snap
     
  15. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    ok.. the first method worked... i did that.. and here's the log..

    »»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

    Thu 08/07/2004
    9:28pm up 0 days, 0:01

    Microsoft Windows 2000 [Version 5.00.2195]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q832894-Q330994-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.

    No matches found.

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



    »»»»»(5)»»»»»
    **File C:\WINNT\SYSTEM32\DLLXXX.TXT

    »»»*»»» Scanning for moved file... »»»*»»»

    * result\\?\C:\JUNKXXX\HLPBD.222


    C:\JUNKXXX\
    hlpbd.222 Sun Jul 4 2004 1:45:18a A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\JUNKXXX\HLPBD.222

    **File C:\JUNKXXX\HLPBD.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- HLPBD .222 0000E000 01:45.18 04/07/2004

    move %WinDir%\System32\HLPBD.DLL %SystemDrive%\junkxxx\HLPBD.DLL


    --a-- W32i - - - - 57,344 07-04-2004 hlpbd.222
    A C:\junkxxx\HLPBD.222
    File: <C:\junkxxx\HLPBD.222>

    CRC-32 : D5C9FB2E

    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




    »»Permissions:
    C:\junkxxx\HLPBD.222 Everyone:(special access:)

    SYNCHRONIZE
    FILE_EXECUTE

    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F

    C:\junkxxx\HLPBD.222 Everyone:(special access:)

    SYNCHRONIZE
    FILE_EXECUTE

    NT AUTHORITY\SYSTEM:F
    BUILTIN\Administrators:F

    Directory "C:\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: BUILTIN\Administrators

    Primary Group: JAMES\None

    Directory "C:\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

    Owner: BUILTIN\Administrators

    Primary Group: BUILTIN\Administrators

    File "C:\junkxxx\HLPBD.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

    Owner: BUILTIN\Administrators

    Primary Group: JAMES\None


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Notepad check....

    C:\WINNT\
    notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 50,960 bytes 49.77 K

    C:\WINNT\SYSTEM32\
    notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 50,960 bytes 49.77 K

    C:\WINNT\SYSTEM32\DLLCACHE\
    notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 50,960 bytes 49.77 K
    --a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-23-2002 notepad.exe
    Language 0x0409 (English (United States))
    CharSet 0x04b0 Unicode
    OleSelfRegister Disabled
    CompanyName Microsoft Corporation
    FileDescription Notepad
    InternalName Notepad
    OriginalFilenam NOTEPAD.EXE
    ProductName Microsoft(R) Windows (R) 2000 Operating System
    ProductVersion 5.00.2140.1
    FileVersion 5.00.2140.1
    LegalCopyright Copyright (C) Microsoft Corp. 1981-1999

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    Struc Ver: 00010000
    FileVer: 00050000:085c0001 (5.0:2140.1)
    ProdVer: 00050000:085c0001 (5.0:2140.1)
    FlagMask: 0000003f
    Flags: 00000000
    OS: 00040004 NT Win32
    FileType: 00000001 App
    SubType: 00000000
    FileDate: 00000000:00000000

    00001150: ?
    00001190: _^ P
    000011D0: vk r DeviceNotSelectedTimeout 1 5
    00001210: vk ' " GDIProcessHandleQuota c
    00001250: vk p o Spooler y e s e n vk
    00001290: \ swapdisk vk c TransmissionRetryTimeout
    000012D0: 9 0 vk ' : USERProcessHandleQuotae
    00001310: vk ogAppInit_DLLsVers U M U SVW }
    00001350:j 3 X M j + ^ Nu j [9] r: M I f 9/t.9] U M
    00001390: 4 f 9/ \ | ~ t _^[] ] 9 t j [ h Q
    000013D0: YY h P YY hx P YY
    00001410: ht P YY hh P h YY hd P O
    00001450: YY r hX P 6 YY E hT P YY ,
    00001490:hL P YY hH P YY h< P Y
    000014D0:Y h8 P YY h( P YYt| h$ P
    00001510: YYtg h P v YYtJ h P a YYt5 h P L
    00001550:

    ---------- WIN.TXT
    AppInit_DLLsi

    ---------- NEWWIN.TXT
    ogAppInit_DLLsVersÈ
    --------------
    yes
    **File C:\FINDnFIX\NEWWIN.TXT
            ‹Ç_^àÿÿÿØ  P € * à  Ðÿÿÿvk     r DeviceNotSelectedTimeoutèÿÿÿ1 5  ˆ Ø  Ðÿÿÿvk  €'   " GDIProcessHandleQuota c àÿÿÿvk  p   o Spooler ðÿÿÿy e s e n àÿÿÿvk  €   \ swapdiskÐÿÿÿvk  Ð   c TransmissionRetryTimeoutðÿÿÿ9 0  ˆ Ðÿÿÿvk  €'   : USERProcessHandleQuotae Øÿÿÿvk  €   ogAppInit_DLLsVersÈ ÿÿÿÿÃU‹ì‹M‹USVW‹}j3ÛX‰‹Mj‰+Ñ^‰
    **File C:\FINDnFIX\NEWWIN.TXT
    00001328: 01 00 00 00 01 00 6F 67 . 5F 44 4C 4C 73 56 65 72 ......og _DLLsVer
    **File C:\FINDnFIX\NEWWIN.TXT
            ‹Ç_^àÿÿÿØ  P € * à  Ðÿÿÿvk     r DeviceNotSelectedTimeoutèÿÿÿ1 5  ˆ Ø  Ðÿÿÿvk  €'   " GDIProcessHandleQuota c àÿÿÿvk  p   o Spooler ðÿÿÿy e s e n àÿÿÿvk  €   \ swapdiskÐÿÿÿvk  Ð   c TransmissionRetryTimeoutðÿÿÿ9 0  ˆ Ðÿÿÿvk  €'   : USERProcessHandleQuotae Øÿÿÿvk  €   ogAppInit_DLLsVersÈ ÿÿÿÿÃU‹ì‹M‹USVW‹}j3ÛX‰‹Mj‰+Ñ^‰
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    Almost there FireAngel :)


    Open the FINDnFIX folder again, then open the Files2 folder. Double-click on the ZIPZAP.bat file.
    It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

    Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

    Please remember to include a link to this thread in the email.

    When done, delete the entire FINDnFIX folder with the infected file(s).

    Make sure you have the most recent version of CWShredder v.1.59.01.
    Close ALL browsers and any open windows or programs before running CWShredder.
    Unzip the program, double-click the CWShredder.exe to open it, then click the *Fix button (not the scan button) and follow the instructions you will receive when the program runs.

    Rescan with AdAware again, then reboot your computer.

    Post a new Hijackthis log here so we can clean up anything left over.

    Regards,

    snap
     
  17. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    okay.. everything worked out well.. i couldn't post cuz of forum upgrades.. : \

    but i'm here now! here's the log!

    Logfile of HijackThis v1.98.0
    Scan saved at 12:24:08 PM, on 09/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Administrator\Desktop\System Tools\HijackThis.exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Highjacked :(

    Clean! Great work FireAngel! With the help of freeatlast's FINDnFIX tool, and your ability to stay persistant and follow a lengthy fix, you've got your computer back, and clean!

    Just some minor cleanup now.

    Empty your Temp folders' contents:
    C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Empty the Recycle Bin

    make sure to visit Microsoft's Update Site to keep all Security Patches and Critical Updates current.

    And here's a few steps you can follow to help tighten your security and prevent future infection:
    Why did I get infected in the first place?

    Regards,

    snap
     
  19. FireAngel

    FireAngel Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    12
    Re: Highjacked :(

    Thanks Snapdragin!
    if u live in the toronto area let me treat u to dinner some time! i'll probably post a log of my sister's computer in a new thread.. just to see what's up with hers : \
    cheerS! :D
     
  20. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    :) You're very welcome FireAngel, glad we could help!

    Yes, it would be a good idea to start a new thread for your sister's log (put something in the title that it's for your sister so the Spyware Fighters won't think it's a duplicate post)

    Let's see, Timmy's for lunch! ;)

    Regards,

    snap
     
Thread Status:
Not open for further replies.