[Solved] Highjacked :(

yup.. i'm having the same problem as some of the people here that posted....
here's my hijackthis log...


Logfile of HijackThis v1.98.0
Scan saved at 1:11:09 AM, on 08/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Sysreset\mirc.exe
C:\Documents and Settings\Administrator\Desktop\System Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1DCB3CC5-6E6E-4196-A6D7-1DBA2DB8F1A5} - C:\WINNT\system32\fiampg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O18 - Filter: text/html - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll
O18 - Filter: text/plain - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll

 

Re: Highjacked

Hi,

Tick the following items
Close all browser windows
Choose fix checked
Reboot your computer

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1DCB3CC5-6E6E-4196-A6D7-1DBA2DB8F1A5} - C:\WINNT\system32\fiampg.dll

O18 - Filter: text/html - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll
O18 - Filter: text/plain - {57593527-5F16-412C-B7C2-F670AA8E730A} - C:\WINNT\system32\fiampg.dll

 

Re: Highjacked

i've tried doing that... it goes away for awhile. .but it comes back.. the .dll file changes it's name.... i've done this about 4 times already. .and everytime it's come back... is there any other way?

 

Re: Highjacked

Hi,

Try this, please let us know if it fixes the problem for you

https://www.wilderssecurity.com/showthread.php?t=39190

If no help, the Kaspersky free removal tool clrav.com MIGHT also fix these now.. http://www.kaspersky.com/removaltools (click any link, they all lead to the file)

 

Re: Highjacked

ok... first i used highjackthis and removed the entries.. afterwards i rebooted.. and tried using the sphjfix... but it said it didn't find anything... then i took a shot and tried the other link ... again.. nothing..

here's my log for now

Logfile of HijackThis v1.98.0
Scan saved at 8:58:44 AM, on 08/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Documents and Settings\Administrator\Desktop\System Tools\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



the problem has seem to have gone away.. but i have a feeling it will be back..
also.. could u take a look at my processes?? because i've been looking in other posts... and some people said that scvhost.exe is no good.. and a few other processes.. i would like to know... should i get rid of them? and if so. how? thankyou

 

Re: Highjacked

Hi FireAngel,

To put your mind at ease about the svchost.exe file, see: Microsoft - Description of Svchost.exe in Windows 2000. It is also quite normal to see more than two instances of it running in your Running Processes (I have 3 at the moment myself showing there)

If it was in another location other than the Windows System32 folder, or if it was spelled in any other way, then yes, it would be a bad file. But your svchost.exe file is legitimate. If you ever have any doubts about a file, you can always upload an individual file for a scan at Kaspersky, or get a second opinion with an on-line antivirus scanner from here: Free Services.

I would like to see you also do a scan with AdAware6 too. The download links and instructions can be found here.

____

It looks like the tools Gavin suggested has cleaned up the CWS infection you had as your log isn't showing any signs of it. We could do a check to make sure the hidden dll is gone. Follow the instructions below carefully:

Download FINDnFIX.exe (2K/XP only!) by freeatlast, from ~removed link as new version released and the following instructions have changed - snap.

Double-Click on the FINDnFIX.exe and it will install to a folder called FINDnFIX on your system.

Open the FINDnFIX folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FINDnFIX folder.

The program will generalte a Log.txt file, but this takes a few minutes for it to collect the necessary information.

When the program is finished running, open the FINDnFIX folder, and find the Log.txt file.
Post the contents of Log.txt in your next reply.

Note:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

Regards,

snap

 

Re: Highjacked

actually i've ran a few spyware adware programs...
adware 6.0
bazooka spyware scanner
noadware
registry mechanic
spybot S&D 1.3
spyware doctor

they don't seem to pick up anything.. and they didn't pick up anything when i still had the files on there.. wierd...


i've gone to that link.. but when i try to download the FINDnFIX.exe 2k/xp only.. it's unavailable... is there another link somewhere else? cuz i tried to google it.. but couldn't find one other than freeatlast...

 

Re: Highjacked

humm...not at the moment, and it does go down. You can try it again in a few hour's and see if it is back up.

FireAngle, what build of AdAware6 are you using? I just want to be sure you have the most recent build, which is build 6.181 with the most recent Reference Number being : 01R330 07.07.2004

The tools Gavin gave you may have very well removed the infection completely.

Regards,

snap

 

Re: Highjacked

ok.. i've finally been able to download the FINDnFIX lol here's my log !


»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

Thu 08/07/2004
7:25pm up 0 days, 0:03

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINNT\System32\HLPBD.DLL +++ File read error
\\?\C:\WINNT\System32\HLPBD.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
HLPBD.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
hlpbd.dll Sun Jul 4 2004 1:45:18a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K


C:\WINNT\SYSTEM32\
hlpbd.dll Sun Jul 4 2004 1:45:18a A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HLPBD.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HLPBD.DLL

»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... HLPBD.DLL .....57344 04.07.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group JAMES\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»» Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINNT\
notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-23-2002 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft(R) Windows (R) 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: JAMES\None



»»»»»»Backups created...»»»»»»
7:25pm up 0 days, 0:04
Thu 08/07/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-08-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 288 07-08-2004 winkey.reg

»»Performing string scan....
00001150: ?
00001190: P
000011D0: vk r DeviceNotSelectedTimeout 1 5
00001210: vk ' " GDIProcessHandleQuota c
00001250: vk p o Spooler y e s e n vk
00001290: \ swapdisk vk c TransmissionRetryTimeout
000012D0: 9 0 vk ' : USERProcessHandleQuotae
00001310: vk o AppInit_DLLsi n
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLsi
--------------
--------------
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="?"


**File C:\FINDnFIX\WIN.TXT
 


  

 àÿÿÿØ
 P € * à  Ðÿÿÿvk  

r DeviceNotSelectedTimeoutèÿÿÿ1 5  ˆ Ø  Ðÿÿÿvk  €' 
" GDIProcessHandleQuota c àÿÿÿvk  p

o Spooler ðÿÿÿy e s e n àÿÿÿvk  €

\ swapdiskÐÿÿÿvk  Ð

c TransmissionRetryTimeoutðÿÿÿ9 0  ˆ Ðÿÿÿvk  €' 
: USERProcessHandleQuotae Øÿÿÿvk €

o AppInit_DLLsi n È ÿÿÿÿ










i think there's still 1 problem. no?

 

Re: Highjacked

Hi FireAngle,

Yes, the HLPBD.DLL is the bad dll but before we go any further I want you to go back into the FINDnFIX folder and look for the Win.txt, and "attach" it here in your next reply post (don't copy & paste it, just use the attachement feature in your next reply).

Then in the keys1 folder, can you tell me if there is a MOVEit.bat file there? Don't do anything with it yet, I just want to see if it is there or not.

I would also like for you to post your AdAware scan log here too so I can see what it missed.

Then we'll go onto the next steps.

Regards,

snap

 

Re: Highjacked

ok.. i found the win.txt... i've attached it..
yes.. there is a MOVEit.bat file there...
and here's my adaware log.



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :July 8, 2004 7:12:00 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R331 08.07.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


08/07/2004 7:12:00 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 08/07/2004 8:19:31 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:37 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:39 PM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 23/07/2002 12:00:00 PM
Last accessed : 08/07/2004 10:24:12 PM
Last modified : 19/06/2003 7:05:04 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:39 PM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 23/07/2002 12:00:00 PM
Last accessed : 08/07/2004 10:23:54 PM
Last modified : 25/02/2004 11:59:07 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:42 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 23/07/2002 12:00:00 PM
Last accessed : 08/07/2004 10:18:44 PM
Last modified : 23/07/2002 12:00:00 PM

#:6 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 08/07/2004 8:19:42 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 27/02/2004 4:14:22 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 10/11/2003 6:30:12 PM

#:7 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 08/07/2004 8:19:43 PM
BasePriority : Normal
FileSize : 249 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 27/02/2004 4:14:22 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 10/11/2003 6:30:04 PM

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:44 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 26/02/2004 10:03:08 PM
Last accessed : 08/07/2004 10:24:14 PM
Last modified : 19/06/2003 7:05:04 PM

#:9 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 08/07/2004 8:19:44 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 23/07/2002 12:00:00 PM
Last accessed : 08/07/2004 10:18:44 PM
Last modified : 23/07/2002 12:00:00 PM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 08/07/2004 8:19:45 PM
BasePriority : Normal
FileSize : 155 KB
FileVersion : 10.00.2
ProductVersion : 10.00.2
Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 15/05/2004 12:39:17 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 23/04/2004 3:04:18 PM

#:11 [nvsvc32.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:45 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.14.10.5303
ProductVersion : 6.14.10.5303
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 53.03
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 53.03
Created on : 17/11/2003 3:33:00 PM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 17/11/2003 3:33:00 PM

#:12 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:48 PM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 27/02/2004 3:34:24 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 19/06/2003 7:05:04 PM

#:13 [savscan.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 08/07/2004 8:19:48 PM
BasePriority : Normal
FileSize : 189 KB
FileVersion : 9.2.1.14
ProductVersion : 9.2
Copyright : Copyright (c) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
OriginalFilename : SAVSCAN.EXE
ProductName : Symantec AntiVirus AutoProtect
Created on : 27/02/2004 4:14:25 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 04/12/2003 11:22:30 PM

#:14 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:49 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 27/02/2004 3:34:01 AM
Last accessed : 08/07/2004 10:23:59 PM
Last modified : 19/06/2003 7:05:04 PM

#:15 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ThreadCreationTime : 08/07/2004 8:19:49 PM
BasePriority : Normal
FileSize : 572 KB
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
Copyright : Copyright (C) 2003
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
OriginalFilename : symlcsvc.exe
ProductName : Symantec Core Component
Created on : 27/02/2004 4:11:12 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 27/02/2004 4:11:12 AM

#:16 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 08/07/2004 8:19:50 PM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 27/02/2004 3:34:55 AM
Last accessed : 08/07/2004 10:18:42 PM
Last modified : 19/06/2003 7:05:04 PM

#:17 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 08/07/2004 8:19:51 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 23/07/2002 12:00:00 PM
Last accessed : 08/07/2004 10:18:44 PM
Last modified : 23/07/2002 12:00:00 PM

#:18 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 08/07/2004 8:19:56 PM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 27/02/2004 3:32:39 AM
Last accessed : 08/07/2004 10:24:27 PM
Last modified : 19/06/2003 7:05:04 PM

#:19 [itouch.exe]
FilePath : C:\Program Files\Logitech\iTouch\
ThreadCreationTime : 08/07/2004 8:20:01 PM
BasePriority : Normal
FileSize : 872 KB
FileVersion : 2.21.270
ProductVersion : 2.21.270
Copyright : (C) 1998-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
OriginalFilename : iTouch.exe
ProductName : iTouch
Created on : 27/02/2004 3:57:31 AM
Last accessed : 08/07/2004 10:18:43 PM
Last modified : 14/01/2004 8:55:20 PM

#:20 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 08/07/2004 8:20:01 PM
BasePriority : Normal
FileSize : 69 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 27/02/2004 4:14:22 AM
Last accessed : 08/07/2004 10:18:43 PM
Last modified : 10/11/2003 6:30:02 PM

#:21 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 08/07/2004 8:20:01 PM
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.79.025
ProductVersion : 9.79.025
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 27/02/2004 4:01:05 AM
Last accessed : 08/07/2004 10:18:43 PM
Last modified : 08/01/2004 2:50:00 PM

#:22 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 08/07/2004 11:03:02 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 08/07/2004 11:01:16 PM
Last accessed : 08/07/2004 11:03:02 PM
Last modified : 13/07/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

7:14:17 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:17:219
Objects scanned :79722
Objects identified :0
Objects ignored :0
New objects :0

 

Re: Highjacked

Ahh good good, that's what I wanted to hear. (I must have just got a bad download because I didn't have a MOVEit.bat file this time) But at least you do and that's all that counts!

Give me a minute to go through the log and I'll post the next step (stay with me now and don't reboot or anything)

Regards,

snap

 

Re: Highjacked

cool btw thanks alot for helping.. everyone in this forum is so nice to help .. good thing i found this forum. .or else i would have formated my computer: \

 

Re: Highjacked

Follow this step carefuly:

Open the FindnFix folder.
Open the keys1 folder.

If you should receive an error while trying to edit, see the Note below.

Locate the MOVEit.bat file, and Right-Click on it and select --> "edit".
Copy and paste the bolded line below (all of it) into the batch file, replacing the line there.

move %WinDir%\System32\HLPBD.DLL %SystemDrive%\junkxxx\HLPBD.DLL

Save the file and close.

(This next step will cause a restart of your computer)
While still in the 'keys1 folder', Double-Click on the FIX.bat file.
You will get an Alert to restart in about 15 seconds.
Allow it to restart the computer!

On restart, go to the FindnFix folder again.
Double-Click on the RESTORE.bat file and let it run.
When it is finished, it will have created a 'Log1.txt' file in the FINDnFIX folder.
Find the Log1.txt file, open it, and copy & past its contents here in your next post.


=====

Note:
Occasionally when trying to edit the MOVEit.bat file the following error occurs:
"Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If you get that error, then follow these steps instead:
Open the FindnFix folder.
Open the keys1 folder.

Double click on FIX.bat
You will get an alert of about 15 seconds before reboot. Allow it to reboot!

On restart, open Explorer and navigate to C:\Windows\System32 folder
Find the HLPBD.DLL file (it should be visible now)
Highlight the file and using top menu, click Edit --> Move to folder...
Select C:\junkxxx as destination.
Move the file.

Open the FINDnFIX folder again.
Double-click on RESTORE.bat
When it is finished, it will have created a 'Log1.txt' file in the FINDnFIX folder.
Find the Log1.txt file, open it, and copy & paste its contents here in your next reply.


snap

 

Re: Highjacked

ok.. the first method worked... i did that.. and here's the log..

»»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»

Thu 08/07/2004
9:28pm up 0 days, 0:01

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q832894-Q330994-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

No matches found.

No matches found.

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



»»»»»(5)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT

»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\JUNKXXX\HLPBD.222


C:\JUNKXXX\
hlpbd.222 Sun Jul 4 2004 1:45:18a A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\HLPBD.222

**File C:\JUNKXXX\HLPBD.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

A----- HLPBD .222 0000E000 01:45.18 04/07/2004

move %WinDir%\System32\HLPBD.DLL %SystemDrive%\junkxxx\HLPBD.DLL


--a-- W32i - - - - 57,344 07-04-2004 hlpbd.222
A C:\junkxxx\HLPBD.222
File: <C:\junkxxx\HLPBD.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
C:\junkxxx\HLPBD.222 Everyonespecial access

SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

C:\junkxxx\HLPBD.222 Everyonespecial access

SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: JAMES\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\HLPBD.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: BUILTIN\Administrators

Primary Group: JAMES\None


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Notepad check....

C:\WINNT\
notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\
notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K

C:\WINNT\SYSTEM32\DLLCACHE\
notepad.exe Tue Jul 23 2002 8:00:00a A.... 50,960 49.77 K

1 item found: 1 file, 0 directories.
Total of file sizes: 50,960 bytes 49.77 K
--a-- W32i APP ENU 5.0.2140.1 shp 50,960 07-23-2002 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft(R) Windows (R) 2000 Operating System
ProductVersion 5.00.2140.1
FileVersion 5.00.2140.1
LegalCopyright Copyright (C) Microsoft Corp. 1981-1999

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050000:085c0001 (5.0:2140.1)
ProdVer: 00050000:085c0001 (5.0:2140.1)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: _^ P
000011D0: vk r DeviceNotSelectedTimeout 1 5
00001210: vk ' " GDIProcessHandleQuota c
00001250: vk p o Spooler y e s e n vk
00001290: \ swapdisk vk c TransmissionRetryTimeout
000012D0: 9 0 vk ' : USERProcessHandleQuotae
00001310: vk ogAppInit_DLLsVers U M U SVW }
00001350:j 3 X M j + ^ Nu j [9] r: M I f 9/t.9] U M
00001390: 4 f 9/ \ | ~ t _^[] ] 9 t j [ h Q
000013D0: YY h P YY hx P YY
00001410: ht P YY hh P h YY hd P O
00001450: YY r hX P 6 YY E hT P YY ,
00001490:hL P YY hH P YY h< P Y
000014D0:Y h8 P YY h( P YYt| h$ P
00001510: YYtg h P v YYtJ h P a YYt5 h P L
00001550:

---------- WIN.TXT
AppInit_DLLsi

---------- NEWWIN.TXT
ogAppInit_DLLsVersÈ
--------------
yes
**File C:\FINDnFIX\NEWWIN.TXT
 


  

 ‹Ç_^àÿÿÿØ
 P € * à  Ðÿÿÿvk  

r DeviceNotSelectedTimeoutèÿÿÿ1 5  ˆ Ø  Ðÿÿÿvk  €' 
" GDIProcessHandleQuota c àÿÿÿvk  p

o Spooler ðÿÿÿy e s e n àÿÿÿvk  €

\ swapdiskÐÿÿÿvk  Ð

c TransmissionRetryTimeoutðÿÿÿ9 0  ˆ Ðÿÿÿvk  €' 
: USERProcessHandleQuotae Øÿÿÿvk  €

ogAppInit_DLLsVersÈ ÿÿÿÿÃU‹ì‹M‹USVW‹}j3ÛX‰‹Mj‰+Ñ^‰
**File C:\FINDnFIX\NEWWIN.TXT
00001328: 01 00 00 00 01 00 6F 67 . 5F 44 4C 4C 73 56 65 72 ......og _DLLsVer
**File C:\FINDnFIX\NEWWIN.TXT
 


  

 ‹Ç_^àÿÿÿØ
 P € * à  Ðÿÿÿvk  

r DeviceNotSelectedTimeoutèÿÿÿ1 5  ˆ Ø  Ðÿÿÿvk  €' 
" GDIProcessHandleQuota c àÿÿÿvk  p

o Spooler ðÿÿÿy e s e n àÿÿÿvk  €

\ swapdiskÐÿÿÿvk  Ð

c TransmissionRetryTimeoutðÿÿÿ9 0  ˆ Ðÿÿÿvk  €' 
: USERProcessHandleQuotae Øÿÿÿvk  €

ogAppInit_DLLsVersÈ ÿÿÿÿÃU‹ì‹M‹USVW‹}j3ÛX‰‹Mj‰+Ñ^‰

 

Re: Highjacked

Almost there FireAngel


Open the FINDnFIX folder again, then open the Files2 folder. Double-click on the ZIPZAP.bat file.
It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please remember to include a link to this thread in the email.

When done, delete the entire FINDnFIX folder with the infected file(s).

Make sure you have the most recent version of CWShredder v.1.59.01.
Close ALL browsers and any open windows or programs before running CWShredder.
Unzip the program, double-click the CWShredder.exe to open it, then click the *Fix button (not the scan button) and follow the instructions you will receive when the program runs.

Rescan with AdAware again, then reboot your computer.

Post a new Hijackthis log here so we can clean up anything left over.

Regards,

snap

 

Re: Highjacked

okay.. everything worked out well.. i couldn't post cuz of forum upgrades.. : \

but i'm here now! here's the log!

Logfile of HijackThis v1.98.0
Scan saved at 12:24:08 PM, on 09/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\System Tools\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

 

Re: Highjacked

Clean! Great work FireAngel! With the help of freeatlast's FINDnFIX tool, and your ability to stay persistant and follow a lengthy fix, you've got your computer back, and clean!

Just some minor cleanup now.

Empty your Temp folders' contents:
C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

Empty the Recycle Bin

make sure to visit Microsoft's Update Site to keep all Security Patches and Critical Updates current.

And here's a few steps you can follow to help tighten your security and prevent future infection:
Why did I get infected in the first place?

Regards,

snap

 

Re: Highjacked

Thanks Snapdragin!
if u live in the toronto area let me treat u to dinner some time! i'll probably post a log of my sister's computer in a new thread.. just to see what's up with hers : \
cheerS!

 

You're very welcome FireAngel, glad we could help!

Yes, it would be a good idea to start a new thread for your sister's log (put something in the title that it's for your sister so the Spyware Fighters won't think it's a duplicate post)

Let's see, Timmy's for lunch!

Regards,

snap