Restore.bat Log1 file:
*** freeatlast100.100free.com ***
Mon 07/12/2004
10:33pm up 0 days, 0:04
Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.
***LOG1!***
Scanning for file(s) in System32...
(1)
(2)
**File C:\FINDnFIX\LIST.TXT
(3)
No matches found.
No matches found.
(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
(5)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
* Scanning for moved file... *
* result\\?\C:\JUNKXXX\SQLOHIL.222
C:\JUNKXXX\
sqlohil.222 Tue Jun 29 2004 8:18:52p A.... 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\JUNKXXX\SQLOHIL.222
**File C:\JUNKXXX\SQLOHIL.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......
A----- SQLOHIL .222 0000E000 20:18.52 29/06/2004
rem replace this entire line with your given command...
--a-- W32i - - - - 57,344 06-29-2004 sqlohil.222
A C:\junkxxx\sqlohil.222
File: <C:\junkxxx\sqlohil.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
Permissions:
C:\junkxxx\sqlohil.222 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
HOMEOFERRALL\TIM:F
BUILTIN\Users:R
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HOMEOFERRALL\TIM
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: HOMEOFERRALL\TIM
Primary Group: HOMEOFERRALL\None
Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone
Owner: BUILTIN\Administrators
Primary Group: BUILTIN\Administrators
File "C:\junkxxx\sqlohil.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HOMEOFERRALL\TIM
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Owner: HOMEOFERRALL\TIM
Primary Group: HOMEOFERRALL\None
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Notepad check....
C:\WINDOWS\
notepad.exe Tue Jun 29 2004 8:19:22p A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
No matches found.
C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Jun 29 2004 8:19:22p A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-29-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.
VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk y AppInit_DLLsecte
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
---------- WIN.TXT
fAppInit_DLLs֍GC
---------- NEWWIN.TXT
AppInit_DLLsecte
--------------
yes
DEVICE\HARDDISKVOLUME2
DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
000012F0: 01 00 00 00 01 00 79 00 . 5F 44 4C 4C 73 65 63 74 ......y. _DLLsect
**File C:\FINDnFIX\NEWWIN.TXT
_vk