Edited by coachwife6, 15 August 2004 - 01:59 PM.
Hijack This Log/about:blank, etc.
Started by
coachwife6
, Aug 12 2004 09:42 AM
#46
Posted 13 August 2004 - 06:29 PM
#47
Posted 13 August 2004 - 08:47 PM
This is the last hijack this log. It works fine, except for the start-up page going to the intranet.
Thanks for all your help.
Logfile of HijackThis v1.98.2
Scan saved at 9:31:57 PM, on 8/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
Thanks for all your help.
Logfile of HijackThis v1.98.2
Scan saved at 9:31:57 PM, on 8/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
#48
Posted 14 August 2004 - 08:49 AM
Well I must say you'd make a great helper on this or any other site, because you're sure determined, and have done a very good job!
I don't see anything left in the Hijack This log to be concerned about. We're probably dealing with a hidden DLL file, or maybe operating system corruption.
The error you're getting looks like a truncated redirect. It probably was pointed to a folder in C:\Program Files\... at one time. If you're comfortable editing the registry, we could try searching the registry for any keys with "http://C:Program ", but I'd like to try a couple other things first.
Please download About:Buster and unzip it to your desktop. Start it, hit update, when finished click Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.
1. Download About:Buster here: http://www.geekstogo...=download&id=25
2. Please run a free online virus scan here:
http://housecall.antivirus.com/
When finished, reboot and see if the problem persists.
If that doesn't work, do you have the WindowsXP CD, or a manufacturer's system restore CD?
I don't see anything left in the Hijack This log to be concerned about. We're probably dealing with a hidden DLL file, or maybe operating system corruption.
The error you're getting looks like a truncated redirect. It probably was pointed to a folder in C:\Program Files\... at one time. If you're comfortable editing the registry, we could try searching the registry for any keys with "http://C:Program ", but I'd like to try a couple other things first.
Please download About:Buster and unzip it to your desktop. Start it, hit update, when finished click Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.
1. Download About:Buster here: http://www.geekstogo...=download&id=25
2. Please run a free online virus scan here:
http://housecall.antivirus.com/
When finished, reboot and see if the problem persists.
If that doesn't work, do you have the WindowsXP CD, or a manufacturer's system restore CD?
#49
Posted 14 August 2004 - 10:48 AM
IE experienced difficulty connecting to TrendMicro, so I went to PandaSoftware, because I had heard good things about it. One of the three trojans it picked up changes the start page. Here is the text of what it found:
Even after the virus scan, it still started on the c://programs page.
Norton Internet Parental Security is loaded on this.
I'm running HJT again and the virus scan.
Scanned at: 10:30:16 AM on: 8/14/2004
-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
Even after the virus scan, it still started on the c://programs page.
Norton Internet Parental Security is loaded on this.
I'm running HJT again and the virus scan.
Scanned at: 10:30:16 AM on: 8/14/2004
-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
#50
Posted 14 August 2004 - 12:22 PM
Please download "FINDnFIX.exe". Run the "!LOG!.bat" file and post the results into this message for further review.
#51
Posted 14 August 2004 - 01:14 PM
Panda Soft found this:
Incident Status Location
Virus:Trj/Delf.W Disinfected C:\WINDOWS\fierm.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\madopew.dll
Virus:Trojan Horse Disinfected D:\I386\APPS\APP06868\App06868.exe[FIXGONER.EXE]
I ran it again and everything was clean. Here is the HJT log after I ran it the second time. Then I ran Find and Fix. See that log below.
Logfile of HijackThis v1.98.2
Scan saved at 2:02:25 PM, on 8/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
Sat 14 Aug 04 14:07:22
***LOG!***(*updated *8/15)
*System:
Microsoft Windows XP Home Edition 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q324929-Q328676-Q810847-Q813489-Q330994-Q822925-Q823353-Q832894-Q867801
The type of the file system is NTFS.
__________________________________
!!*Creating backups...!!
The operation completed successfully
__________________________________
*Local time:
Saturday, August 14, 2004 (8/14/2004)
2:07 PM, Central Standard Time
*Uptime:
14:07:24 up 0 days, 0:10:50
----------------------------------------------------
Member of...: ("ADMIN" logon + group match required!)
User is a member of group
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User: is a member of:
BUILTIN\Administrators
\Everyone
*** Note! ***
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!
The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________
......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
*********
(*1*) .........
Read access error(s)...
C:\WINDOWS\SYSTEM32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error
(*2*) ........
HLP.DLL Can't Open!
IMAGEHLP.DLL Can't Open!
IPNATHLP.DLL Can't Open!
RASADHLP.DLL Can't Open!
XOLEHLP.DLL Can't Open!
(*3*) ........
C:\WINDOWS\SYSTEM32\
hlp.dll Fri Jul 16 2004 8:03:54a A...R 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
unknown/hidden files...
No matches found.
(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
(*5*)
Access denied ..................... HLP.DLL .....57344 16.07.2004
(*6*)
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IPNATHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\RASADHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\XOLEHLP.DLL
*********
Search by size...
*List of files and specs according to 'size' :
*Note: Not all files listed here are infected, but *may include* the
name and spces of the offending file...
___________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL
292. Hlp Dll 57,344 . . R . A 7-16-04 8:03 am
918. Openal32 Dll 21,504 . . . . A 3-03-04 1:02 pm
____________________________________________________________________________
*By size and date...
C:\WINDOWS\SYSTEM32\
hlp.dll Fri Jul 16 2004 8:03:54a A...R 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
No matches found.
C:\WINDOWS\SYSTEM32\
openal32.dll Wed Mar 3 2004 1:02:00p A.... 21,504 21.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 21,504 bytes 21.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\OPENAL32.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 21504
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
*********
BHO search...
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IPNATHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\RASADHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\XOLEHLP.DLL
No matches found.
*********
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448
Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!
Value does not match
________________________________
Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Performing string scan....
00001150: vk 8 f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ h l p . d l l a
000011D0: h vk UDeviceNotSelectedTimeout 1 5
00001210: P 9 0 vk ' zGDIProcessHandle
00001250:Quota" vk x Spooler2 y e s _ h
00001290: ( X vk 5swapdisk vk
000012D0: . TransmissionRetryTimeout h ( X
00001310: vk ' USERProcessHandleQuota
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:
---------- WIN.TXT
fAppInit_DLLs֍GC
--------------
--------------
$01180: AppInit_DLLs
$011EF: UDeviceNotSelectedTimeout
$0123F: zGDIProcessHandleQuota
$012D8: TransmissionRetryTimeout
$01328: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\hlp.dll
--------------
--------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
..........
*Debug...
--------------
--------------
Ntdll.DLL at 77F50000
Kernel32.DLL at 77E60000
NtQueryInformationFile (Entry at 2AE6BA80) restored to 77F5BC38
NtQuerySystemInformation (Entry at 2AE69267) restored to 77F5BD98
LdrUnloadDll (Entry at 2AE66289) restored to 77F607D6
LdrLoadDll (Entry at 2AE66F1F) restored to 77F56EA1
RtlGetNativeSystemInformation (Entry at 2AE69BDC) restored to 77F5BD98
RtlQueryProcessDebugInformation (Entry at 2AE69966) restored to 77F6C180
..........
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.
[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\hlp.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 68 00 6c 00 70 00 2e 00 | m.3.2.\.h.l.p...
0030 64 00 6c 00 6c 00 00 00 | d.l.l...
-----------------------
Backups list...
14:13:09 up 0 days, 0:16:35
-----------------------
Sat 14 Aug 04 14:13:09
C:\FINDNFIX\
keyback.hiv Sat Aug 14 2004 2:07:20p A.... 8,192 8.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 8,192 bytes 8.00 K
C:\FINDNFIX\KEYS1\
winkey.reg Sat Aug 14 2004 2:07:20p A.... 287 0.28 K
1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0.28 K
*Temp backups...
"C:\Documents and Settings\Owner\Local Settings\Temp\Backs2\"
keyback2.hi_ Aug 14 2004 8192 "keyback2.hi_"
winkey2.re_ Aug 14 2004 287 "winkey2.re_"
2 items found: 2 files, 0 directories.
Total of file sizes: 8,479 bytes 8.28 K
C:\FINDNFIX\
JUNKXXX Sat Aug 14 2004 2:07:20p .D... <Dir>
1 item found: 0 files, 1 directory.
________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***
-----END------
Sat 14 Aug 04 14:13:12
Incident Status Location
Virus:Trj/Delf.W Disinfected C:\WINDOWS\fierm.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\madopew.dll
Virus:Trojan Horse Disinfected D:\I386\APPS\APP06868\App06868.exe[FIXGONER.EXE]
I ran it again and everything was clean. Here is the HJT log after I ran it the second time. Then I ran Find and Fix. See that log below.
Logfile of HijackThis v1.98.2
Scan saved at 2:02:25 PM, on 8/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F4D52D9-84F1-47B7-B802-CCD43A4E8518}: NameServer = 205.240.64.132,205.240.64.133
Sat 14 Aug 04 14:07:22
***LOG!***(*updated *8/15)
*System:
Microsoft Windows XP Home Edition 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q324929-Q328676-Q810847-Q813489-Q330994-Q822925-Q823353-Q832894-Q867801
The type of the file system is NTFS.
__________________________________
!!*Creating backups...!!
The operation completed successfully
__________________________________
*Local time:
Saturday, August 14, 2004 (8/14/2004)
2:07 PM, Central Standard Time
*Uptime:
14:07:24 up 0 days, 0:10:50
----------------------------------------------------
Member of...: ("ADMIN" logon + group match required!)
User is a member of group
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User: is a member of:
BUILTIN\Administrators
\Everyone
*** Note! ***
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!
The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________
......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
*********
(*1*) .........
Read access error(s)...
C:\WINDOWS\SYSTEM32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error
(*2*) ........
HLP.DLL Can't Open!
IMAGEHLP.DLL Can't Open!
IPNATHLP.DLL Can't Open!
RASADHLP.DLL Can't Open!
XOLEHLP.DLL Can't Open!
(*3*) ........
C:\WINDOWS\SYSTEM32\
hlp.dll Fri Jul 16 2004 8:03:54a A...R 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
unknown/hidden files...
No matches found.
(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
(*5*)
Access denied ..................... HLP.DLL .....57344 16.07.2004
(*6*)
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IPNATHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\RASADHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\XOLEHLP.DLL
*********
Search by size...
*List of files and specs according to 'size' :
*Note: Not all files listed here are infected, but *may include* the
name and spces of the offending file...
___________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL
292. Hlp Dll 57,344 . . R . A 7-16-04 8:03 am
918. Openal32 Dll 21,504 . . . . A 3-03-04 1:02 pm
____________________________________________________________________________
*By size and date...
C:\WINDOWS\SYSTEM32\
hlp.dll Fri Jul 16 2004 8:03:54a A...R 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
No matches found.
C:\WINDOWS\SYSTEM32\
openal32.dll Wed Mar 3 2004 1:02:00p A.... 21,504 21.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 21,504 bytes 21.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\OPENAL32.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 21504
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
*********
BHO search...
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IPNATHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\RASADHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\XOLEHLP.DLL
No matches found.
*********
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448
Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!
Value does not match
________________________________
Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Performing string scan....
00001150: vk 8 f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ h l p . d l l a
000011D0: h vk UDeviceNotSelectedTimeout 1 5
00001210: P 9 0 vk ' zGDIProcessHandle
00001250:Quota" vk x Spooler2 y e s _ h
00001290: ( X vk 5swapdisk vk
000012D0: . TransmissionRetryTimeout h ( X
00001310: vk ' USERProcessHandleQuota
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:
---------- WIN.TXT
fAppInit_DLLs֍GC
--------------
--------------
$01180: AppInit_DLLs
$011EF: UDeviceNotSelectedTimeout
$0123F: zGDIProcessHandleQuota
$012D8: TransmissionRetryTimeout
$01328: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\hlp.dll
--------------
--------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
..........
*Debug...
--------------
--------------
Ntdll.DLL at 77F50000
Kernel32.DLL at 77E60000
NtQueryInformationFile (Entry at 2AE6BA80) restored to 77F5BC38
NtQuerySystemInformation (Entry at 2AE69267) restored to 77F5BD98
LdrUnloadDll (Entry at 2AE66289) restored to 77F607D6
LdrLoadDll (Entry at 2AE66F1F) restored to 77F56EA1
RtlGetNativeSystemInformation (Entry at 2AE69BDC) restored to 77F5BD98
RtlQueryProcessDebugInformation (Entry at 2AE69966) restored to 77F6C180
..........
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.
[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\hlp.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 68 00 6c 00 70 00 2e 00 | m.3.2.\.h.l.p...
0030 64 00 6c 00 6c 00 00 00 | d.l.l...
-----------------------
Backups list...
14:13:09 up 0 days, 0:16:35
-----------------------
Sat 14 Aug 04 14:13:09
C:\FINDNFIX\
keyback.hiv Sat Aug 14 2004 2:07:20p A.... 8,192 8.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 8,192 bytes 8.00 K
C:\FINDNFIX\KEYS1\
winkey.reg Sat Aug 14 2004 2:07:20p A.... 287 0.28 K
1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0.28 K
*Temp backups...
"C:\Documents and Settings\Owner\Local Settings\Temp\Backs2\"
keyback2.hi_ Aug 14 2004 8192 "keyback2.hi_"
winkey2.re_ Aug 14 2004 287 "winkey2.re_"
2 items found: 2 files, 0 directories.
Total of file sizes: 8,479 bytes 8.28 K
C:\FINDNFIX\
JUNKXXX Sat Aug 14 2004 2:07:20p .D... <Dir>
1 item found: 0 files, 1 directory.
________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***
-----END------
Sat 14 Aug 04 14:13:12
Edited by coachwife6, 15 August 2004 - 02:01 PM.
#52
Posted 14 August 2004 - 01:47 PM
I was walking out the door and ran a quick adaware again and two about:blank possible browser hijackers popped up. So.....what's happening?
#53
Posted 14 August 2004 - 05:48 PM
I just found out about Adaware SE and ran it. This is what it pulled up. Six browser hijacker keys
ArchiveData(auto-quarantine- 2004-08-14 18-45-51.bckp)
Referencefile : SE1R3 12.08.2004
======================================================
IBIS TOOLBAR
obj[0]=Regkey : protocols\name-space handler\res\wtoolsb.resprotocol
obj[1]=Regkey : toolbar.itoolbarscriptclass
obj[2]=Regkey : interface\{bd6f129a-08db-4cc5-a75a-f2ab79e55b6e}
obj[3]=Regkey : clsid\{87067f04-de4c-4688-bc3c-4fcf39d609e7}
obj[4]=Regkey : clsid\{708be496-e202-497b-bc31-9cf47e3bf8d6}
obj[5]=Regkey : S-1-5-21-1333191943-1336510074-346832259-1003\software\wintools
MIDADDLE
obj[6]=File : C:\Program Files\Common Files\midaddle\midaddle.dll
ArchiveData(auto-quarantine- 2004-08-14 18-45-51.bckp)
Referencefile : SE1R3 12.08.2004
======================================================
IBIS TOOLBAR
obj[0]=Regkey : protocols\name-space handler\res\wtoolsb.resprotocol
obj[1]=Regkey : toolbar.itoolbarscriptclass
obj[2]=Regkey : interface\{bd6f129a-08db-4cc5-a75a-f2ab79e55b6e}
obj[3]=Regkey : clsid\{87067f04-de4c-4688-bc3c-4fcf39d609e7}
obj[4]=Regkey : clsid\{708be496-e202-497b-bc31-9cf47e3bf8d6}
obj[5]=Regkey : S-1-5-21-1333191943-1336510074-346832259-1003\software\wintools
MIDADDLE
obj[6]=File : C:\Program Files\Common Files\midaddle\midaddle.dll
#54
Posted 15 August 2004 - 08:47 AM
FINDnFIX found a suspect hidden DLL that we need to remove.
This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:
In the same folder, DoubleClick on the "FIX.bat" file. You will be prompted by popup -Alert to restart in 15 seconds. Allow it to restart the computer! On restart, Navigate to System32 folder and find the HLP.DLL file...(as it should be visible now), use the folder's top menu => "edit" => "move" to folder ... Select the C:\junkxxx folder as destination and move the file there.
When done, run the C:\FINDnFIX\"RESTORE.bat"< file, post the output. (log1.txt)
This will take couple or more steps to fix. Be sure to Follow the next set of steps carefully, in the exact order specified:
- Open the "FINDnFIX\Keys1" Subfolder!
- Locate the "MOVEit.bat" file, Right-Click on it and select => "edit". The file will open as empty text file.
- Copy and paste the entire highlighted line in the following quote box
(all one line) into that blank 'MOVEit' file:move C:\WINDOWS\System32\HLP.DLL C:\junkxxx\HLP.DLL
- Save the file and close.
- Get ready to restart your computer.
- In the same folder, DoubleClick on the "FIX.bat" file.
- You will be prompted by popup Alert to restart in 15 seconds.
- Allow it to restart the computer!
- On restart, Navigate to: C:\FINDnFIX\ main folder:
- DoubleClick on the "RESTORE.bat" file.
- It'll run and produce new log. (log1.txt) post it here!
In the same folder, DoubleClick on the "FIX.bat" file. You will be prompted by popup -Alert to restart in 15 seconds. Allow it to restart the computer! On restart, Navigate to System32 folder and find the HLP.DLL file...(as it should be visible now), use the folder's top menu => "edit" => "move" to folder ... Select the C:\junkxxx folder as destination and move the file there.
When done, run the C:\FINDnFIX\"RESTORE.bat"< file, post the output. (log1.txt)
#55
Posted 15 August 2004 - 11:38 AM
OK. Thanks.
#56
Posted 15 August 2004 - 11:51 AM
Can't find the Move.it bat file. In the Keys 1 subfolder it has 21.bat and fix. bat...NIRComLine.exe...winclean.reg......windr1.reg.....winkey.reg
#57
Posted 15 August 2004 - 12:16 PM
That's strange, I don't see moveit.bat either. They must be updating the program.
Use this procedure:
If the editing of moveit.bat does not work...(You may get an error about the file not being found):
In the same folder, DoubleClick on the "FIX.bat" file. You will be prompted by popup -Alert to restart in 15 seconds. Allow it to restart the computer! On restart, Navigate to System32 folder and find the HLP.DLL file...(as it should be visible now), use the folder's top menu => "edit" => "move" to folder ... Select the C:\junkxxx folder as destination and move the file there.
When done, run the C:\FINDnFIX\"RESTORE.bat"< file, post the output. (log1.txt)
Use this procedure:
If the editing of moveit.bat does not work...(You may get an error about the file not being found):
In the same folder, DoubleClick on the "FIX.bat" file. You will be prompted by popup -Alert to restart in 15 seconds. Allow it to restart the computer! On restart, Navigate to System32 folder and find the HLP.DLL file...(as it should be visible now), use the folder's top menu => "edit" => "move" to folder ... Select the C:\junkxxx folder as destination and move the file there.
When done, run the C:\FINDnFIX\"RESTORE.bat"< file, post the output. (log1.txt)
#58
Posted 15 August 2004 - 12:50 PM
Sun 15 Aug 04 13:38:51
***LOG2!(*updated *8/15)***
*System:
Microsoft Windows XP Home Edition 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q324929-Q328676-Q810847-Q813489-Q330994-Q822925-Q823353-Q832894-Q867801
The type of the file system is NTFS.
___________________________________________
!!Restoring backups!!
The operation completed successfully
___________________________________________
*Local time:
Sunday, August 15, 2004 (8/15/2004)
1:38 PM, Central Standard Time
*Uptime:
13:38:53 up 0 days, 0:10:38
------------------------------------------
This log will confirm if the file was successfully moved, and/or
the right file was selected...
Scanning for file(s) in System32...
(1)
(2)
(3)
No matches found.
Unknown/hidden files...
No matches found.
(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
(5)
(6)
Search by size And Date...
*List of files specs according to size:
*Note: Not all files listed here are infected!
____________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL
917. Openal32 Dll 21,504 . . . . A 3-03-04 1:02 pm
____________________________________________________________________________
No matches found.
No matches found.
C:\WINDOWS\SYSTEM32\
openal32.dll Wed Mar 3 2004 1:02:00p A.... 21,504 21.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 21,504 bytes 21.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\OPENAL32.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 21504
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
*********
BHO search...
No matches found.
No matches found.
*********
* Scanning for moved file... *
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.*
fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*
Analyzer v1.36 by Boogie Copyright 1997 ESP Team
Files: C:\FINDNFIX\JUNKXXX\*.*
Volume: HP_PAVILION * DDIR * 1:46 pm | Sun, 8-15-04
Ser #: 401C-B943 DOS Ver. 5.00 0% Used space
Path: C:\FINDNFIX\JUNKXXX All files selected
No files found.
No. of files: 0 | List size: 0
Disk size: 976.5 M | Actual spc: 0
Bytes free: 976.5 M | Conserved space: 0
File not found - C:\FINDnFIX\junkxxx\*.*
CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.
File name Size Date Time MD5 Hash
________________________________________________________________________
CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk
C:\FINDNFIX\JUNKXXX
No files found
#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
Permissions:
ERROR: There are no more files.
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x \Owner
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: .\Owner
Primary Group: .\None
Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x .\Owner
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: .\Owner
Primary Group: .\None
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!
Value Matches
________________________________
Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
00001150: $ vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' USERProcessHandleQuota h X
000012D0: vk w AppInit_DLLs
00001310: b a ,
00001350: a 4 a a $
00001390: P a l
000013D0: T `[ l T
00001410: [ b (
00001450: @ b L b
00001490: b b P
000014D0: b Q
00001510: Q Q
00001550:
---------- NEWWIN.TXT
AppInit_DLLs
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota
$012F0: AppInit_DLLs
--------------
--------------
No strings found.
d.... 0 Aug 14 14:07 .
d.... 0 Aug 14 14:07 ..
2 files found occupying -1024 bytes
===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.01
VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 08-14-:4 14:07|.. <dir> 08-14-:4 14:07
---------------------------------------+---------------------------------------
2 files totaling 0 bytes consuming 0 bytes of disk space.
17299968 bytes available on Drive C: Volume label: HP_PAVILION
...File dump...
junkxxx\*.*
The system cannot find the file specified.
0 file(s) copied.
Detecting...
C:\FINDnFIX\junkxxx
Finished Detecting...
________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***
Sun 15 Aug 04 13:46:13
-----END-----
***LOG2!(*updated *8/15)***
*System:
Microsoft Windows XP Home Edition 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q324929-Q328676-Q810847-Q813489-Q330994-Q822925-Q823353-Q832894-Q867801
The type of the file system is NTFS.
___________________________________________
!!Restoring backups!!
The operation completed successfully
___________________________________________
*Local time:
Sunday, August 15, 2004 (8/15/2004)
1:38 PM, Central Standard Time
*Uptime:
13:38:53 up 0 days, 0:10:38
------------------------------------------
This log will confirm if the file was successfully moved, and/or
the right file was selected...
Scanning for file(s) in System32...
(1)
(2)
(3)
No matches found.
Unknown/hidden files...
No matches found.
(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
(5)
(6)
Search by size And Date...
*List of files specs according to size:
*Note: Not all files listed here are infected!
____________________________________________________________________________
Path: C:\WINDOWS\SYSTEM32 Including: *.DLL
917. Openal32 Dll 21,504 . . . . A 3-03-04 1:02 pm
____________________________________________________________________________
No matches found.
No matches found.
C:\WINDOWS\SYSTEM32\
openal32.dll Wed Mar 3 2004 1:02:00p A.... 21,504 21.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 21,504 bytes 21.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\OPENAL32.DLL
SNiF 1.34 statistics
Matching files : 1 Amount in bytes : 21504
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.DLL
*********
BHO search...
No matches found.
No matches found.
*********
* Scanning for moved file... *
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
SNiF 1.34 statistics
Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0
Masks sniffed for: *.*
fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*
Analyzer v1.36 by Boogie Copyright 1997 ESP Team
Files: C:\FINDNFIX\JUNKXXX\*.*
Volume: HP_PAVILION * DDIR * 1:46 pm | Sun, 8-15-04
Ser #: 401C-B943 DOS Ver. 5.00 0% Used space
Path: C:\FINDNFIX\JUNKXXX All files selected
No files found.
No. of files: 0 | List size: 0
Disk size: 976.5 M | Actual spc: 0
Bytes free: 976.5 M | Conserved space: 0
File not found - C:\FINDnFIX\junkxxx\*.*
CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.
File name Size Date Time MD5 Hash
________________________________________________________________________
CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk
C:\FINDNFIX\JUNKXXX
No files found
#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
Permissions:
ERROR: There are no more files.
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x \Owner
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: .\Owner
Primary Group: .\None
Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x .\Owner
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: .\Owner
Primary Group: .\None
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!
Value Matches
________________________________
Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
00001150: $ vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' USERProcessHandleQuota h X
000012D0: vk w AppInit_DLLs
00001310: b a ,
00001350: a 4 a a $
00001390: P a l
000013D0: T `[ l T
00001410: [ b (
00001450: @ b L b
00001490: b b P
000014D0: b Q
00001510: Q Q
00001550:
---------- NEWWIN.TXT
AppInit_DLLs
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota
$012F0: AppInit_DLLs
--------------
--------------
No strings found.
d.... 0 Aug 14 14:07 .
d.... 0 Aug 14 14:07 ..
2 files found occupying -1024 bytes
===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.01
VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 08-14-:4 14:07|.. <dir> 08-14-:4 14:07
---------------------------------------+---------------------------------------
2 files totaling 0 bytes consuming 0 bytes of disk space.
17299968 bytes available on Drive C: Volume label: HP_PAVILION
...File dump...
junkxxx\*.*
The system cannot find the file specified.
0 file(s) copied.
Detecting...
C:\FINDnFIX\junkxxx
Finished Detecting...
________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***
Sun 15 Aug 04 13:46:13
-----END-----
Edited by coachwife6, 14 September 2004 - 08:36 AM.
#59
Posted 15 August 2004 - 01:09 PM
Admin:
Found this on another forum:
FindnFix no longer is equipped with the moveit procedure, but instead is recommended to MANUALLY remove using these steps and Files.
Found this on another forum:
FindnFix no longer is equipped with the moveit procedure, but instead is recommended to MANUALLY remove using these steps and Files.
#60
Posted 16 August 2004 - 08:49 AM
I need to update my instructions.Found this on another forum:
Can you move C:\JUNKXXX\ to C:\FINDNFIX\JUNKXXX\?
Finally, open the FINDnFIX\Files2< Subfolder and run the => "ZIPZAP.bat" file. It will quickly clean the rest.
When done, Restart your computer and Delete and entire 'FINDnFIX' file+folder(s) From C:\.
Post a follow up HijackThis log when done!
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users