Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log-mom2cheyandt


  • This topic is locked This topic is locked
15 replies to this topic

#1 mom2cheyandt

mom2cheyandt

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 11 August 2004 - 01:26 PM

Please see the HJT log below. We are having MAJOR problems with about:blank. It's even gotten to the point when I log into my yahoo mail it automatically redirects me to about:blank. Thanks for you help!


Leah


Logfile of HijackThis v1.98.2
Scan saved at 1:19:04 PM, on 8/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rex\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CAFFDFE-E8F8-4037-ADAD-E4960BBCD2FB} - C:\WINDOWS\System32\obbkab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {E4D12E06-470F-41E9-BFED-890D3BD95D86} - C:\WINDOWS\System32\obbkab.dll
O18 - Filter: text/plain - {E4D12E06-470F-41E9-BFED-890D3BD95D86} - C:\WINDOWS\System32\obbkab.dll

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 11 August 2004 - 03:16 PM

Please do the following:

Download the program FindNFix from the following location:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#3 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 11 August 2004 - 06:07 PM

here is the log from find n fix

thanks,
leah


Wed 11 Aug 04 18:01:58

»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»

*System:
Microsoft Windows XP Professional 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q823353-Q832894-Q867801

The type of the file system is FAT32.

__________________________________
!!*Creating backups...!!

The operation completed successfully
__________________________________

*Local time:
Wednesday, August 11, 2004 (8/11/2004)
6:02 PM, Central Daylight Time
*Uptime:
18:02:01 up 0 days, 0:04:46

----------------------------------------------------
»»Member of...: ("ADMIN" logon + group match required!)

User is a member of group REX-RNXEFD37W9M\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

User: [REX-RNXEFD37W9M\Rex], is a member of:

BUILTIN\Administrators
\Everyone

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 8/11)»»»»»»»»»»»»»»»»

»»»*»»»*Use at your own risk!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\SYSTEM32\WINCO.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINCO.DLL +++ File read error

»»»»» (*2*) »»»»»........
WINCO.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
winco.dll Mon Jul 19 2004 11:49:38p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WINCO.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(*5*)»»»»»
Æ Access denied ® ..................... WINCO.DLL .....57344 19.07.2004

»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINDOWS\SYSTEM32\WINCO.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINDOWS\SYSTEM32\
winco.dll Mon Jul 19 2004 11:49:38p ....R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WINCO.DLL
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


BHO search...

fgrep: can't open input C:\WINDOWS\SYSTEM32\WINCO.DLL
**File C:\WINDOWS\SYSTEM32\OBBKAB.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....1.€


"C:\WINDOWS\system32\"
obbkab.dll Aug 10 2004 30720 "obbkab.dll"

1 item found: 1 file, 0 directories.
Total of file sizes: 30,720 bytes 30.00 K


»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value does not match
________________________________

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Performing string scan....
00001150: ?
00001190: vk < f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ w i n c o .
00001210:d l l vk P UDeviceNotSelectedTimeout
00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' r USERProcessHandleQuota\ x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fłAppInit_DLLs֍ęGĄ’’’C
--------------
--------------
$011C8: AppInit_DLLs
$01237: UDeviceNotSelectedTimeout
$01287: zGDIProcessHandleQuota
$01320: TransmissionRetryTimeout
$01370: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\winco.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Ntdll.DLL at 77F50000
Kernel32.DLL at 77E60000

NtQueryInformationFile (Entry at 2AE6BA80) restored to 77F5BC38
NtQuerySystemInformation (Entry at 2AE69267) restored to 77F5BD98
LdrUnloadDll (Entry at 2AE66289) restored to 77F607D6
LdrLoadDll (Entry at 2AE66F1F) restored to 77F56EA1
RtlGetNativeSystemInformation (Entry at 2AE69BDC) restored to 77F5BD98
RtlQueryProcessDebugInformation (Entry at 2AE69966) restored to 77F6C180
..........
*Debug...
--------------
--------------
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\winco.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 77 00 69 00 6e 00 63 00 | m.3.2.\.w.i.n.c.
0030 6f 00 2e 00 64 00 6c 00 6c 00 00 00 | o...d.l.l...
-----------------------

»»»»»»Backups list...»»»»»»
18:03:46 up 0 days, 0:06:31
Wed 11 Aug 04 18:03:46


C:\FINDNFIX\
keyback.hiv Wed Aug 11 2004 6:01:58p A.... 8,192 8.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 8,192 bytes 8.00 K

C:\FINDNFIX\KEYS1\
winkey.reg Wed Aug 11 2004 6:01:58p A.... 287 0.28 K

1 item found: 1 file, 0 directories.
Total of file sizes: 287 bytes 0.28 K

*Temp backups...

"C:\Documents and Settings\Rex\Local Settings\Temp\Backs2\"
keyback2.hi_ Aug 11 2004 8192 "keyback2.hi_"
winkey2.re_ Aug 11 2004 287 "winkey2.re_"

2 items found: 2 files, 0 directories.
Total of file sizes: 8,479 bytes 8.28 K

C:\FINDNFIX\
JUNKXXX Wed Aug 11 2004 6:01:58p .D... <Dir>

1 item found: 0 files, 1 directory.

-----END------
Wed 11 Aug 04 18:03:48

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 11 August 2004 - 06:24 PM

Now that we know what the offending file is, we can move to the next step.

Please open the FindNFix folder which can be found at c:\findnfix.

Inside that folder will be another folder called keys1. Please double-click on that folder.

When that folder opens you will see a file called Fix.bat. Double-click on that file to start it.

You will get an alert that your computer will reboot in about 15 seconds. Allow the computer to reboot.

When the computer has rebooted and you are at the desktop. Click on the Start menu and select Search. You want to find the file C:\WINDOWS\SYSTEM32\WINCO.DLL.

When the file is found, select the C:\WINDOWS\SYSTEM32\WINCO.DLL file by clicking on it once so it becomes highlighted. Then click on the Edit menu and select the "Move to Folder" option. Scroll down until you see the C: drive and expand, by clicking on the plus sign, that directory, and then expand the FindNFix directory. You should then see under the C:\FindNFix directory a directory called junkxxx. Select that as the final destination and click on the Move button. If you get a warning about the file being read-only, allow it to be moved anyway.

When that is completed, open up the c:\findnfix folder again and double-click on the RESTORE.bat file.

When it is finished, open the c:\findnfix folder again and double click on the Log1.txt file found there. This will open up notepad. Please post all of the contents of the notepad that opens in a reply to this topic.

#5 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 11 August 2004 - 09:01 PM

see latest log below.

***edit*** just thought i should let you know that in your most recent instructions you said to click on the log1.txt file....when i went into findnfix the most recent time there was only log.txt and log2.txt, i posted the most recent one below which was the log2.txt. please let me know if i did this incorrectly.

thanks,
leah



Wed 11 Aug 04 20:57:26

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

*System:
Microsoft Windows XP Professional 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q823353-Q832894-Q867801

The type of the file system is FAT32.

___________________________________________
!!Restoring backups!!

Error: Access is denied.
___________________________________________

*Local time:
Wednesday, August 11, 2004 (8/11/2004)
8:57 PM, Central Daylight Time
*Uptime:
20:57:27 up 0 days, 0:03:04

------------------------------------------

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 8/11)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(5)»»»»»

»»»»»(6)»»»»»

»»»»»»» Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


BHO search...

**File C:\WINDOWS\SYSTEM32\OBBKAB.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....1.€


"C:\WINDOWS\system32\"
obbkab.dll Aug 10 2004 30720 "obbkab.dll"

1 item found: 1 file, 0 directories.
Total of file sizes: 30,720 bytes 30.00 K


»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\FINDnFIX\junkxxx\WINCO.333


C:\FINDNFIX\JUNKXXX\
winco.333 Mon Jul 19 2004 11:49:38p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\WINCO.333
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\WINCO.333
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.

Files: C:\FINDNFIX\JUNKXXX\*.*
WINCO.333 MS Windows 95 / Windows NT Exe
A----- WINCO .333 0000E000 23:49.38 19/07/2004

--a-- W32i - - - - 57,344 07-19-2004 winco.333
A C:\FINDnFIX\junkxxx\winco.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
WINCO.333 57344 07-19-104 23:49 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
WINCO.333 : crc16=3138 crc32=D5C9FB2E

File: <C:\FINDnFIX\junkxxx\winco.333>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249


#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
»»Permissions:
C:\FINDnFIX\junkxxx\winco.333 No permissions are set. All user have full control.
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

File "C:\FINDnFIX\junkxxx\winco.333"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone


This file system is FAT32, it does not enforce ACLs !


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access REX-RNXEFD37W9M\Rex
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access REX-RNXEFD37W9M\Rex



00001150: $ ? 1 B >2 2?
00001190: 1 B >2 2? 1 B >2 2?
000011D0: vk y DeviceNotSelectedTimeout 1 5
00001210: ( W vk ' GDIProcessHandleQuotak
00001250: 9 0 | | vk t_SpoolerG y e s ta\
00001290: vk utswapdisk ` vk
000012D0: P TransmissionRetryTimeout vk ' S
00001310:USERProcessHandleQuotai ` H vk
00001350: | AppInit_DLLs '
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLs '
--------------
--------------
$011F0: DeviceNotSelectedTimeout
$01238: GDIProcessHandleQuotak
$012E0: TransmissionRetryTimeout
$01310: USERProcessHandleQuotai
$01360: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Aug 11 18:01 .
d.... 0 Aug 11 18:01 ..
....a 57344 Jul 19 23:49 winco.333

3 files found occupying 55296 bytes

-------- C:\FINDNFIX\JUNKXXX\WINCO.333
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 5,734,400 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 08-11-:4 18:01|WINCO 333 57344 A 07-19-:4 23:49
.. <dir> 08-11-:4 18:01|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...

junkxxx\winco.333
1 file(s) copied.
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...
C:\FINDnFIX\junkxxx
.. SD has a NULL DACL which explicitly allows all access to Everyone
winco.333 SD has a NULL DACL which explicitly allows all access to Everyone
Error - Shutting Down...
Wed 11 Aug 04 20:59:07
-----END-----

Edited by mom2cheyandt, 11 August 2004 - 09:06 PM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 11 August 2004 - 09:19 PM

Were you logged on as the same user for all of these steps?

#7 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 12 August 2004 - 10:25 AM

yes

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 12 August 2004 - 10:37 AM

Please download and extract HivRepair.zip to c:\hiverepair.

You can download it from:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once its been extracted navigate to c:\hiverepair and double click on repair.cmd.

When it is done it will open a notepad. Copy the contents of that notepad as a reply to this post.

#9 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 12 August 2004 - 10:46 AM

done, see log2.txt below...

thanks,
leah


Thu 12 Aug 04 10:43:43

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

*System:
Microsoft Windows XP Professional 5.1 (Build 2600)
*IE version:
6.0.2600.0000 Q823353-Q832894-Q867801

The type of the file system is FAT32.

___________________________________________
!!Restoring backups!!

Error: Access is denied.
___________________________________________

*Local time:
Thursday, August 12, 2004 (8/12/2004)
10:43 AM, Central Daylight Time
*Uptime:
10:43:44 up 0 days, 13:49:22

------------------------------------------

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 8/11)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»»»(5)»»»»»

»»»»»(6)»»»»»

»»»»»»» Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

SNiF 1.34 statistics

Matching files : 0 Amount in bytes : 0
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


BHO search...

**File C:\WINDOWS\SYSTEM32\OBBKAB.DLL
00002004: A4 62 2A DF D5 7E 05 00 . 00 00 00 00 B6 31 03 80 ¤b*ßÕ~.. ....1.€


"C:\WINDOWS\system32\"
obbkab.dll Aug 10 2004 30720 "obbkab.dll"

1 item found: 1 file, 0 directories.
Total of file sizes: 30,720 bytes 30.00 K


»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»*»»» Scanning for moved file... »»»*»»»

* result\\?\C:\FINDnFIX\junkxxx\WINCO.333


C:\FINDNFIX\JUNKXXX\
winco.333 Mon Jul 19 2004 11:49:38p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\WINCO.333
SNiF 1.34 statistics

Matching files : 1 Amount in bytes : 57344
Directories searched : 1 Commands executed : 0

Masks sniffed for: *.*

**File C:\FINDNFIX\JUNKXXX\WINCO.333
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.

Files: C:\FINDNFIX\JUNKXXX\*.*
WINCO.333 MS Windows 95 / Windows NT Exe
A----- WINCO .333 0000E000 23:49.38 19/07/2004

--a-- W32i - - - - 57,344 07-19-2004 winco.333
A C:\FINDnFIX\junkxxx\winco.333

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
WINCO.333 57344 07-19-104 23:49 c185b36f9969d3a6d2122ba7cbc02249

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
WINCO.333 : crc16=3138 crc32=D5C9FB2E

File: <C:\FINDnFIX\junkxxx\winco.333>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249


#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
»»Permissions:
C:\FINDnFIX\junkxxx\winco.333 No permissions are set. All user have full control.
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

File "C:\FINDnFIX\junkxxx\winco.333"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone


This file system is FAT32, it does not enforce ACLs !


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access REX-RNXEFD37W9M\Rex
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access REX-RNXEFD37W9M\Rex



00001150: $ ? 1 B >2 2?
00001190: 1 B >2 2? 1 B >2 2?
000011D0: vk y DeviceNotSelectedTimeout 1 5
00001210: ( W vk ' GDIProcessHandleQuotak
00001250: 9 0 | | vk t_SpoolerG y e s ta\
00001290: vk utswapdisk ` vk
000012D0: P TransmissionRetryTimeout vk ' S
00001310:USERProcessHandleQuotai ` H vk
00001350: | AppInit_DLLs '
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLs '
--------------
--------------
$011F0: DeviceNotSelectedTimeout
$01238: GDIProcessHandleQuotak
$012E0: TransmissionRetryTimeout
$01310: USERProcessHandleQuotai
$01360: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Aug 11 18:01 .
d.... 0 Aug 11 18:01 ..
....a 57344 Jul 19 23:49 winco.333

3 files found occupying 55296 bytes

-------- C:\FINDNFIX\JUNKXXX\WINCO.333
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 5,734,400 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 08-11-:4 18:01|WINCO 333 57344 A 07-19-:4 23:49
.. <dir> 08-11-:4 18:01|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...

junkxxx\winco.333
1 file(s) copied.
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...
C:\FINDnFIX\junkxxx
.. SD has a NULL DACL which explicitly allows all access to Everyone
winco.333 SD has a NULL DACL which explicitly allows all access to Everyone
Error - Shutting Down...
Thu 12 Aug 04 10:46:10
-----END-----

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 12 August 2004 - 10:47 AM

Do this now:

Please download and extract HivRepair.zip to c:\hiverepair.

You can download it from:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once its been extracted navigate to c:\hiverepair and double click on repair.cmd.

When it is done it will open a notepad. Copy the contents of that notepad as a reply to this post.

#11 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 12 August 2004 - 03:08 PM

here ya go.

thanks,
leah



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access REX-RNXEFD37W9M\Rex
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access REX-RNXEFD37W9M\Rex


-------------------------------------------
Thursday, August 12, 2004 3:07:16 PM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure Registry Keys...
Configure machine\software\microsoft\windows nt\currentversion\windows.
Configuration of Registry Keys was completed successfully.
----Un-initialize configuration engine...

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 12 August 2004 - 03:11 PM

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

CWShredder Download Site #1

or

CWShredder Download Site #2

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

CWShredder - How to remove CoolWebSearch with CWShredder

and then post a new log

#13 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 12 August 2004 - 03:52 PM

i just completed the cws program....which log do you want me to do
? findnfix or hiv?

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:41 AM

Posted 12 August 2004 - 03:58 PM

hijackthis log

#15 mom2cheyandt

mom2cheyandt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 12 August 2004 - 04:02 PM

here ya go..

thanks,
leah



Logfile of HijackThis v1.98.2
Scan saved at 4:02:05 PM, on 8/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\freescan\freescan.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack this\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rex\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1444463F-CE1C-4DC6-8FC5-F3CE600CC699} - C:\WINDOWS\System32\obbkab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {490C42C6-2172-4752-ABCE-1FF8609CF11C} - C:\WINDOWS\System32\obbkab.dll
O18 - Filter: text/plain - {490C42C6-2172-4752-ABCE-1FF8609CF11C} - C:\WINDOWS\System32\obbkab.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users