[Solved] Hijack Log Help - Please (merged)

Discussion in 'adware, spyware & hijack cleaning' started by ahammerton, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Keep getting annoying pop ups telling me i got spyware. Also changes home page in ie. Done ALL the Scannings ie Ad-aware Norton Trojan Hunter CWShredder. Temporarily solves problem but then comes back a few hours later. Help much appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:36:34, on 11/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\AOL 9.0\waol.exe
    C:\Program Files\AOL 9.0\shellmon.exe
    C:\Program Files\Common Files\AOL\aoltpspd.exe
    C:\Documents and Settings\Alistair Hammerton\Local Settings\Temp\Temporary Directory 6 for cwshredder.zip\CWShredder.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Alistair Hammerton\My Documents\Downloads\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shef.ac.uk/law/students
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087910823312
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13CF7A04-A71B-4F53-9C38-49E96595474A}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CCS\Services\Tcpip\..\{329E73EE-9ACA-4ECD-ADB5-78A8E4ECCF86}: NameServer = 195.93.33.134
    O17 - HKLM\System\CS1\Services\Tcpip\..\{13CF7A04-A71B-4F53-9C38-49E96595474A}: NameServer = 152.163.0.26 205.188.64.153
     
  2. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please

    Just run FindNFix

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    11/07/2004
    1:04pm up 0 days, 0:41

    »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/:cool:»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\WINGMPH.DLL +++ File read error
    \\?\C:\WINDOWS\System32\WINGMPH.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    WINGMPH.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    wingmph.dll Tue 22 Jun 2004 0:13:18 A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\WINGMPH.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... WINGMPH.DLL .....57344 22.06.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    C:\WINDOWS\SYSTEM32\
    wingmph.dll Tue 22 Jun 2004 0:13:18 A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\WINGMPH.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group ALISTAIR\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.


    »»»»»»Backups created...»»»»»»
    1:05pm up 0 days, 0:42
    11/07/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-11-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-11-2004 winkey.reg

    C:\FINDNFIX\
    JUNKXXX Sun 11 Jul 2004 13:04:04 .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: vk @ f AppInit_DLLs G
    00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ w i n g m p h . d l
    000011D0:l 0 . h vk UDeviceNotSelectedTimeout
    00001210: 1 5 ( 9 0 =t vk ' zGDIProce
    00001250:ssHandleQuota" vk Spooler2 y e s _
    00001290: h 0 ` vk 5swapdisk vk
    000012D0: . TransmissionRetryTimeout h 0 `
    00001310: vk ' b USERProcessHandleQuota3
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæG¸ÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\wingmph.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\wingmph.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 77 00 69 00 6e 00 67 00 | m.3.2.\.w.i.n.g.
    0030 6d 00 70 00 68 00 2e 00 64 00 6c 00 6c 00 00 00 | m.p.h...d.l.l...
     

    Attached Files:

  3. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    HELP ABOUT:BLANK

    Keeps resetting my home page and getting annoying pop-ups. Have run ad-aware, norton trojan, cws shredder etc. Keeps coming back. Help much appreciated. Thanks a lot.

    Logfile of HijackThis v1.97.7
    Scan saved at 13:26:30, on 12/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\Program Files\AOL 9.0\waol.exe
    C:\Program Files\AOL 9.0\shellmon.exe
    C:\Program Files\Common Files\AOL\aoltpspd.exe
    C:\Documents and Settings\Alistair Hammerton\My Documents\Downloads\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ALISTA~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E0BDEC7E-101C-474E-ABA9-775F4A2244F3} - C:\WINDOWS\System32\likc.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087910823312
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13CF7A04-A71B-4F53-9C38-49E96595474A}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CCS\Services\Tcpip\..\{329E73EE-9ACA-4ECD-ADB5-78A8E4ECCF86}: NameServer = 195.93.35.134
    O17 - HKLM\System\CS1\Services\Tcpip\..\{13CF7A04-A71B-4F53-9C38-49E96595474A}: NameServer = 152.163.0.26 205.188.64.153
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    ahammerton - if you don't behave I am going to make you wait longer! :mad:

    You do NOT run the FINDnFIX tool without first being asked to do so by someone who knows the other steps involved. Which I guess you found out you cannot finish using the tool since you do not know the other steps involved.

    Your log is not more important than other's who have waited patiently. Then you go and start an entirely new thread, which takes up my time having to locate the threads and merge them together. Do not do that please.

    You will have to wait now until I have time to go through your log. Do not run the FINDnFIX tool again until asked.

    Thank you,

    snap
     
  5. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please (merged)

    Soz snap new to all this and didn't really understand how everyone worrked. Thanks for your reply.

    Waiting patiently Al
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    Hi ahhammerton,

    I have not been able to find out if there was a newer version released for the FINDnFIX tool yet, but since you do have the one I have the instructions for, and it has identified the bad dll in your last scan with it. Let's give it a go and we'll try and clean it up.

    Open the FINDnFIX folder and double click on !LOG!.bat.
    IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FINDnFIX folder.

    The program will take a few minutes to finish while it collects the necessary information, then it will create a Log.txt file.
    Post the contents of the Log.txt in your next reply.

    (I will watch for when you're on line as I want to go through each step with you)

    Regards,

    snap
     
  7. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please (merged)

    Here we go snap hope this helps

    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
    »»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
    Due to errors on various message boards I made some changes.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    If you make a mistake or use the wrong guidance, it is completely
    your responsibility and the helper that assists you.
    If you are not sure about the nature of the file or how
    to proceed, I suggest you research it first before attempting
    to remove any *unknown file on your own.
    *For Helpers and/or users that are not familiar with any of the
    items on the scan results- I recommend using an alternative, once
    you know what to look for!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    --The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
    and is the destination for the file to be moved..
    -*Previous directions will no longer work...
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    14/07/2004
    4:39pm up 0 days, 0:03

    »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/:cool:»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\WINGMPH.DLL +++ File read error
    \\?\C:\WINDOWS\System32\WINGMPH.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT
    WINGMPH.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    wingmph.dll Tue 22 Jun 2004 0:13:18 A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\WINGMPH.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
    ¯ Access denied ® ..................... WINGMPH.DLL .....57344 22.06.2004

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    C:\WINDOWS\SYSTEM32\
    wingmph.dll Tue 22 Jun 2004 0:13:18 A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\WINGMPH.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group ALISTAIR\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.


    »»»»»»Backups created...»»»»»»
    4:40pm up 0 days, 0:04
    14/07/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-11-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 07-11-2004 winkey.reg

    C:\FINDNFIX\
    JUNKXXX Sun 11 Jul 2004 13:04:04 .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: vk @ f AppInit_DLLs G
    00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ w i n g m p h . d l
    000011D0:l 0 . h vk UDeviceNotSelectedTimeout
    00001210: 1 5 ( 9 0 =t vk ' zGDIProce
    00001250:ssHandleQuota" vk Spooler2 y e s _
    00001290: h 0 ` vk 5swapdisk vk
    000012D0: . TransmissionRetryTimeout h 0 `
    00001310: vk ' b USERProcessHandleQuota3
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLsÖæG¸ÿÿÿC
    --------------
    --------------
    C:\WINDOWS\System32\wingmph.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\wingmph.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 77 00 69 00 6e 00 67 00 | m.3.2.\.w.i.n.g.
    0030 6d 00 70 00 68 00 2e 00 64 00 6c 00 6c 00 00 00 | m.p.h...d.l.l...
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    Hi ahammerton,

    Ok, the bad dill is identified: wingmph.dll

    Now follow these next set of steps carefully, in the exact order given:

    (This next step will restart your computer.)

    1. Go to the FINDnFIX\Keys1 and double-click on the FIX.bat file.
    You will get a prompt that your computer is preparing to restart in 15 seconds. Allow it to reboot.


    2. After your computer has restarted, navigate to the C:\Windows\System32 folder, find the wingmph.dll file (it should be viewable now)

    When found, highlight the "wingmph.dll" file with one left-click.
    In the folder's top menu, click *Edit* and *Move to folder*.

    Select C:\FINDnFIX\junkxxx as destination (click the junkxxx folder once to select it) then click the "Move* button to move the file into the junkxxx folder.
    (you might get a prompt about 'read-only' file -Simply 'ok' it!)


    3. When done, Open the C:\FINDnFIX main folder again and double-click on RESTORE.bat
    It will run and generate new log (log1.txt) in the FINDnFIX folder.
    Open the log1.txt and copy & past the contents here in your next reply.


    *Note: Do not change/move around or tamper with any of the file(s) folder(s) and path included in the 'FINDnFIX' folder.
     
  9. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please (merged)

    Done that

    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    14/07/2004
    5:03pm up 0 days, 0:01

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
    Scanning for file(s) in System32...

    »»»»»»» (1) »»»»»»»

    »»»»»»» (2) »»»»»»»
    **File C:\FINDnFIX\LIST.TXT

    »»»»»»» (3) »»»»»»»

    No matches found.
    Unknown/hidden files...

    No matches found.

    »»»»»»» (4) »»»»»»»
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(5)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»»»»» Search by size...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»*»»» Scanning for moved file... »»»*»»»

    * result\\?\C:\FINDnFIX\junkxxx\WINGMPH.222


    C:\FINDNFIX\JUNKXXX\
    wingmph.222 Tue 22 Jun 2004 0:13:18 A.... 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\FINDNFIX\JUNKXXX\WINGMPH.222

    **File C:\FINDNFIX\JUNKXXX\WINGMPH.222
    0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
    0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

    A----- WINGMPH .222 0000E000 00:13.18 22/06/2004

    --a-- W32i - - - - 57,344 06-22-2004 wingmph.222
    A C:\FINDnFIX\junkxxx\wingmph.222

    CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
    MD5 Message Digest Algorithm by RSA Data Security, Inc.

    File name Size Date Time MD5 Hash
    ________________________________________________________________________
    WINGMPH.222 57344 06-22-104 00:13 c185b36f9969d3a6d2122ba7cbc02249File: <C:\FINDnFIX\junkxxx\wingmph.222>
    CRC-32 : D5C9FB2E
    MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249


    »»Permissions:
    C:\FINDnFIX\junkxxx\wingmph.222 BUILTIN\Administrators:F
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F
    ALISTAIR\Alistair Hammerton:F
    BUILTIN\Users:R

    Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x ALISTAIR\Alistair Hammerton
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: ALISTAIR\Alistair Hammerton

    Primary Group: ALISTAIR\None

    Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x ALISTAIR\Alistair Hammerton
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: ALISTAIR\Alistair Hammerton

    Primary Group: ALISTAIR\None

    File "C:\FINDnFIX\junkxxx\wingmph.222"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x ALISTAIR\Alistair Hammerton
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

    Owner: ALISTAIR\Alistair Hammerton

    Primary Group: ALISTAIR\None

    C:\FINDnFIX\junkxxx\wingmph.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wingmph.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wingmph.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wingmph.222;ALISTAIR\Alistair Hammerton:RrRaRepWwAWaWePXDDcO
    C:\FINDnFIX\junkxxx\wingmph.222;BUILTIN\Users:RrRaRepX


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs =

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    00001150: vk UDeviceNotSelecte
    00001190:dTimeout 1 5 ( h vk ' zGDIProce
    000011D0:ssHandleQuota" 9 0 =t vk Spooler2
    00001210: y e s _ vk 5swapdisk h
    00001250: X vk . TransmissionRetryTimeout vk
    00001290: ' b USERProcessHandleQuota3 h X
    000012D0: vk AppInit_DLLsXa > (C w B w
    00001310: > HC w C w 9 hC w(C w
    00001350: ? C wHC w p? C whC w
    00001390: ? C w C w A C w C w
    000013D0: PB (D w C w @D w
    00001410: 0 x H w C w `D w
    00001450: D w D w
    00001490: D w D w
    000014D0: E w E w
    00001510: @E w `E w
    00001550:

    ---------- NEWWIN.TXT
    AppInit_DLLsXañ
    --------------
    --------------
    --------------
    C:\WINDOWS\system32
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    Almost there.

    Open the FINDnFIX\Files2 <-- Subfolder.
    Double-click on the ZIPZAP.bat file to run it.
    It will quickly clean the rest and will create a zipped copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

    Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses. Thanks!

    (Please remember to include a link to this thread in the email, so any errors in the process can be traced back.)

    Stay with me, there's a few more cleanup steps we need to do.
    Tell me when you've finished this step.

    Regards,

    snap
     
  11. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please (merged)

    Run that but aol would not let me e-mail the folder. What should i do?
     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    Don't worry about the email then.

    You are going to be running CWShredder while in safe mode, so you may want to copy these instructions to a .txt file, or print them out for easy access

    ***
    First, make sure you have the most recent versions of the following:
    CWShredder v.1.59.01.

    Hijackthis 1.98.0-hotfix.

    Ad-Aware6 build 6.181, and that you have brought it up-todate by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.
    Follow these instructions for setting up Ad-Aware for a full scan: How To Perform a "Full Scan" with Ad-Aware6.
    Do a scan and fix what it finds, and reboot when scan is finished.

    Spybot Search&Destroy v1.3, install, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

    ***

    Then boot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    With ALL browsers and any open windows or programs closed, double-click the CWShredder.exe to open it, then click the *Fix button (not the scan button) and follow the instructions you will receive when the program runs.

    Empty your Temp folders' contents:
    C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Then run both AdAware and Spybot Search & Destroy.

    Reboot your computer normally, and run CWShredder, AdAware, and Spybot S&D again in normal mode.

    Go to Microsoft's Update Site download and install ALL Critical Updates listed for XP and IE6 installed.

    Since you are using filesharing apps, I want you to do a FULL system scan at one of these on-line scan sites: Free Services

    Then scan with Hijackthis and post a new log here so we clean up what's left.

    Regards,

    snap
     
  13. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please (merged)

    Done that. Virus checker found junkxxx.zip. Wot should i do with that?

    Here is the hijackthis log

    Logfile of HijackThis v1.97.7
    Scan saved at 18:57:58, on 14/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\AOL 9.0\waol.exe
    C:\Program Files\AOL 9.0\shellmon.exe
    C:\Program Files\Common Files\AOL\aoltpspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Alistair Hammerton\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087910823312
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13CF7A04-A71B-4F53-9C38-49E96595474A}: NameServer = 152.163.0.26 205.188.64.153
    O17 - HKLM\System\CCS\Services\Tcpip\..\{329E73EE-9ACA-4ECD-ADB5-78A8E4ECCF86}: NameServer = 195.93.50.134
    O17 - HKLM\System\CS1\Services\Tcpip\..\{13CF7A04-A71B-4F53-9C38-49E96595474A}: NameServer = 152.163.0.26 205.188.64.153
     
  14. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    Hi ahammerton,

    Your log is clean, and I'm not sure if you know how lucky you are because the tool we just used has since been pulled by the Developer and is no longer available for download. Not sure if it will be again or not either.

    You can delete the entire "FINDnFIX" folder with the bad file(s) in it now, then empty your Recycle Bin.

    I would recommend uninstalling Kazaa since it is a known source for infection, and choose an alternative. This is your choice of course, but it doesn't need to start up when you turn your computer on, and fixing it in Hijackthis does not delete the program.

    Open HijackThis, rescan, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup


    (these are optional to fix but recommended since fixing them will save you some resources, and they are not needed at startup)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE



    Uninstall SpyKiller. Read here way: Rogue/Suspect Anti-Spyware Products
    It is also strongly advised to uninstall KAZAA. Many infected files come with file sharing.
    See here for some alternatives: Clean and Infected File Sharing Programs
    You have the very best with AdAware6 and Spybot S&D and they are both free with full support forums.

    Once you are sure your system is clean, turn off System Restore, then reboot your computer to purge old restore points to remove any infection that would have been backed up in there: System Restore Instructions for XP. Remember to re-enable System Restore after a reboot, and set a new Restore Point

    Here are some steps to follow to help tighten your security and prevent future infection:
    Why did I get infected in the first place?

    Regards,

    snap
     
  15. ahammerton

    ahammerton Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    9
    Re: Hijack Log Help - Please (merged)

    Thanks snap. You are a legend. How come find n fix been discontinued? Anyway thanks again

    Al
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Hijack Log Help - Please (merged)

    You're very welcome ahammerton. Glad we could help. :)

    The FindnFix tool was removed because too many people were mis-using it without fully knowing all the steps involved, which could lead to causing more harm than good.

    It looks like everything is running smoothly now on your computer, so I'll mark this thread as solved.

    Safe surfing, ahammerton. :)

    Regards,

    snap
     
Thread Status:
Not open for further replies.