New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 23)
· Marcia's (CO8)
· Bill G's (CO11)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1021
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Hidden Files keep re-installing HiJack.

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My!
View previous topic :: View next topic  
Author Message
Jerhiko

Cadet
Cadet



Joined: Jun 02, 2004
Posts: 7
Location: USA

PostPosted: Wed Jun 02, 2004 3:49 pm    Post subject: Hidden Files keep re-installing HiJack.
Reply with quote

I seem to have a hidden file that keeps reinstalling this hijack. Please help.
Here is a copy of my log.

Logfile of HijackThis v1.97.7
Scan saved at 2:12:09 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Battletech\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\idccb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\idccb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\idccb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\idccb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\idccb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\idccb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02918035-2A93-47AA-8625-E4EC6EE57410} - C:\WINDOWS\System32\idccb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: Jadvantage - http://204.251.188.66:8080/Jadvantage.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...2296064815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Back to top
View users profile Send private message
freeatlast

Security Expert
Security Expert



Joined: Feb 02, 2004
Posts: 671
Location: USA

PostPosted: Wed Jun 02, 2004 4:37 pm    Post subject:
Reply with quote

Download and Install: >>Find-All.exe (Win2K/XP only!)<<

Run the Find-All\"Find-All.Cmd" file, wait for the log and post it here.
Back to top
View users profile Send private message
Jerhiko

Cadet
Cadet



Joined: Jun 02, 2004
Posts: 7
Location: USA

PostPosted: Wed Jun 02, 2004 5:05 pm    Post subject:
Reply with quote

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--


Wed Jun 02 17:00:16 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (5CAF:8FF8) - FS:NTFS clusters:4k
Total: 59 970 514 944 [56G] - Free: 43 725 443 072 [41G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW Wink
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 80,896 05-30-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
5:00pm up 0 days, 5:01

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMALBC.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMALBC.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
848 SMSS.EXE
896 CSRSS.EXE Title:
928 WINLOGON.EXE Title: NetDDE Agent
1000 SERVICES.EXE Svcs: Eventlog,PlugPlay
1012 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
1256 SVCHOST.EXE Svcs: RpcSs
1424 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility,helpsvc,HidServ,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w3
1608 SVCHOST.EXE Svcs: Dnscache
1620 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1876 CCSETMGR.EXE Svcs: ccSetMgr
2044 CCEVTMGR.EXE Svcs: ccEvtMgr
880 SPOOLSV.EXE Svcs: Spooler
1764 EXPLORER.EXE Title: Program Manager
2000 SynTPLpr.exe Title: Touchpad driver helper window
2016 SynTPEnh.exe Title: TouchPad object helper window
2024 DadApp.exe Title: Dell AccessDirect App
220 quickset.exe Title: QuickSet
284 DSentry.exe Title: DVDSentry
280 Directcd.exe Title: DirectCD
320 Support.exe Title: Support
328 CCAPP.EXE Title:
476 jusched.exe Title: OleMainThreadWndName
496 GhostStartTrayApGhostStartTrayAppTitle: GhostStartTrayApp
564 hpztsb04.exe Title:
572 hphmon03.exe Title: HP Photosmart Printer Series
580 dadtray.exe Title: DadTray
612 qttask.exe Title: 268
624 msmsgs.exe Title: MCI command handling window
664 aim.exe Title:
704 CTFMON.EXE Title:
976 acrotray.exe Title: AcrobatTrayIcon
1416 hpobnz08.exe Title:
1652 CDAC11BA.EXE Svcs: C-DillaCdaC11BA
1820 CCPROXY.EXE Svcs: ccProxy
1632 GhostStartService.exeSvcs: GhostStartService
536 MDM.EXE Svcs: MDM
2124 sqlservr.exe Svcs: MSSQL$MICROSOFTBCM
2196 NAVAPSVC.EXE Svcs: navapsvc
2216 NPROTECT.EXE Svcs: NProtectService
2292 nvsvc32.exe Svcs: NVSvc
2544 NOPDB.EXE Svcs: Speed Disk service
2608 SVCHOST.EXE Svcs: stisvc
2668 symlcsvc.exe Svcs: Symantec Core LC
2716 WLTRYSVC.EXE Svcs: WLTRYSVC
2824 BCMWLTRY.EXE Title: BCMWLTRY Windows Application
3540 SAVSCAN.EXE Svcs: SAVScan
3496 wuauclt.exe Title: Auto Update Client Window
652 OUTLOOK.EXE Title: User Password for Jerhiko at Computer Cops - Message (Plain Text)
2456 WINWORD.EXE Title: CiceroUIWndFrame
2728 IEXPLORE.EXE Title: Microsoft Office Templates: Sales invoice - Microsoft Internet Explorer
900 HijackThis.exe Title: HijackThis
2808 EXCEL.EXE Title: Draw_One_Ryan.xls
2272 notepad.exe Title: hijackthis.log - Notepad
3752 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2604 NTVDM.EXE
3264 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02918035-2A93-47AA-8625-E4EC6EE57410}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{8697E7F2-40CB-4420-839A-709B66221E08}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{8697E7F2-40CB-4420-839A-709B66221E08}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Defaults *450)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [DDP56N31\Joe Black], is a member of:

BUILTIN\Administrators
\Everyone
DDP56N31\None

User is a member of group DDP56N31\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
DDP56N31\Joe Black:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Wed Jun 02 17:00:40 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Back to top
View users profile Send private message
freeatlast

Security Expert
Security Expert



Joined: Feb 02, 2004
Posts: 671
Location: USA

PostPosted: Wed Jun 02, 2004 5:19 pm    Post subject:
Reply with quote

You have the 'classic' version! Wink

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ COMALBC.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

---Re-run 'Find-All.cmd' and post new log!
Back to top
View users profile Send private message
Jerhiko

Cadet
Cadet



Joined: Jun 02, 2004
Posts: 7
Location: USA

PostPosted: Wed Jun 02, 2004 5:46 pm    Post subject:
Reply with quote

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--


Wed Jun 02 17:41:03 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (5CAF:8FF8) - FS:NTFS clusters:4k
Total: 59 970 514 944 [56G] - Free: 43 725 299 712 [41G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW Wink
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 80,896 05-30-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
5:41pm up 0 days, 0:08

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junkxxx\COMALBC.DLL


»»Tasks (services):
0 System Process
4 System
504 SMSS.EXE
560 CSRSS.EXE Title:
896 WINLOGON.EXE Title: NetDDE Agent
940 SERVICES.EXE Svcs: Eventlog,PlugPlay
952 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
1136 SVCHOST.EXE Svcs: RpcSs
1284 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompatibility,helpsvc,HidServ,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w3
1456 SVCHOST.EXE Svcs: Dnscache
1488 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1692 CCSETMGR.EXE Svcs: ccSetMgr
1804 CCEVTMGR.EXE Svcs: ccEvtMgr
2012 SPOOLSV.EXE Svcs: Spooler
868 CDAC11BA.EXE Svcs: C-DillaCdaC11BA
916 CCPROXY.EXE Svcs: ccProxy
1164 GhostStartService.exeSvcs: GhostStartService
1200 MDM.EXE Svcs: MDM
1256 sqlservr.exe Svcs: MSSQL$MICROSOFTBCM
1552 NAVAPSVC.EXE Svcs: navapsvc
1572 NPROTECT.EXE Svcs: NProtectService
1592 nvsvc32.exe Svcs: NVSvc
1704 NOPDB.EXE Svcs: Speed Disk service
1828 SVCHOST.EXE Svcs: stisvc
1852 symlcsvc.exe Svcs: Symantec Core LC
200 WLTRYSVC.EXE Svcs: WLTRYSVC
232 BCMWLTRY.EXE Title: BCMWLTRY Windows Application
496 SAVSCAN.EXE Svcs: SAVScan
1400 EXPLORER.EXE Title: Program Manager
2172 SynTPLpr.exe Title: Touchpad driver helper window
2184 SynTPEnh.exe Title: TouchPad object helper window
2192 DadApp.exe Title: Dell AccessDirect App
2200 quickset.exe Title: QuickSet
2212 DSentry.exe Title: DVDSentry
2240 Directcd.exe Title: DirectCD
2272 Support.exe Title: Support
2296 CCAPP.EXE Title:
2320 dadtray.exe Title: DadTray
2356 jusched.exe Title: OleMainThreadWndName
2392 GhostStartTrayApGhostStartTrayAppTitle: GhostStartTrayApp
2420 ICQLite.exe Title:
2440 hpztsb04.exe Title:
2460 hphmon03.exe Title: HP Photosmart Printer Series
2484 qttask.exe Title: 9b8
2500 msmsgs.exe Title:
2556 CTFMON.EXE Title:
2640 acrotray.exe Title: AcrobatTrayIcon
2664 hpobnz08.exe Title:
1532 wuauclt.exe Title: Auto Update Client Window
3944 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3988 NTVDM.EXE
1364 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02918035-2A93-47AA-8625-E4EC6EE57410}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
@="Web assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{8697E7F2-40CB-4420-839A-709B66221E08}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{8697E7F2-40CB-4420-839A-709B66221E08}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access DDP56N31\Joe Black
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access DDP56N31\Joe Black




»»Size of 'Windows' key: (Defaults *450)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Group/user settings:


User: [DDP56N31\Joe Black], is a member of:

BUILTIN\Administrators
\Everyone
DDP56N31\None

User is a member of group DDP56N31\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
DDP56N31\Joe Black:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junkxxx\comalbc.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DDP56N31\Joe Black:F
BUILTIN\Users:R

C:\junkxxx\eiobdd.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DDP56N31\Joe Black:F
BUILTIN\Users:R

C:\junkxxx\idccb.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R

C:\junkxxx\mhkihed.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DDP56N31\Joe Black:F
BUILTIN\Users:R

C:\junkxxx\pjfp.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DDP56N31\Joe Black:F
BUILTIN\Users:R

C:\junkxxx\sexxx.exe BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
DDP56N31\Joe Black:F
BUILTIN\Users:R


»»Contents of file(s) in 'junkxxx' folder:
comalbc.dll
eiobdd.dll
idccb.dll
mhkihed.dll
pjfp.dll
sexxx.exe

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright (C) 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 comalbc.dll
0758cf635df08ac381962f74832b6484 eiobdd.dll
0758cf635df08ac381962f74832b6484 idccb.dll
8077c2987b88d4d351b8e0e16d453b51 mhkihed.dll
8077c2987b88d4d351b8e0e16d453b51 pjfp.dll
c27cdf4cbd1029ba03fde77f7643a139 sexxx.exe

193536 bytes, 1 ms = 184.57 MB/sec
------
»»Rehash:
File: <C:\junkxxx\comalbc.dll>

CRC-32 : D5C9FB2E

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9



File: <C:\junkxxx\eiobdd.dll>

CRC-32 : 00000000

GOST-Hash : 434E1527 7713C5D8 BF288F10 4F9A4FED 58644BF3 026ED978

F8AF1B63 53982F11

HAVAL-5-256 : 8A927B72 C5327551 829AAD46 1533FD0F A72A4071 F730D3BC

5281A2F5 8D5EF813

MD5 : 0758CF63 5DF08AC3 81962F74 832B6484

SHA-512 : 859FE5AD C19505E2 72B65E42 3E59663B 948D9BD3 6C7FF6DF

CE032208 C06C7DAA 805A4DB0 74D27D29 868446FB BE66A339

970A6B83 31A730E8 F3C5DB5C 5AE7E58B



File: <C:\junkxxx\idccb.dll>

CRC-32 : 00000000

GOST-Hash : 434E1527 7713C5D8 BF288F10 4F9A4FED 58644BF3 026ED978

F8AF1B63 53982F11

HAVAL-5-256 : 8A927B72 C5327551 829AAD46 1533FD0F A72A4071 F730D3BC

5281A2F5 8D5EF813

MD5 : 0758CF63 5DF08AC3 81962F74 832B6484

SHA-512 : 859FE5AD C19505E2 72B65E42 3E59663B 948D9BD3 6C7FF6DF

CE032208 C06C7DAA 805A4DB0 74D27D29 868446FB BE66A339

970A6B83 31A730E8 F3C5DB5C 5AE7E58B



File: <C:\junkxxx\mhkihed.dll>

CRC-32 : 00000000

GOST-Hash : 83AC8480 69D57FD4 C22EBAEA 2494AC77 75A4BDD9 493BCF39

188A415F E11EF9EE

HAVAL-5-256 : 7DF6D168 3AA36B44 8B5F6C95 177B4D73 09FFF482 F6B38EC4

2E89FEE2 9B7B89D3

MD5 : 8077C298 7B88D4D3 51B8E0E1 6D453B51

SHA-512 : 2704AD9E 68AB70BC 830D39DA 715FD031 5375A2C1 A8A844F4

AC3F271B EDDCE836 F90F5A65 63119745 71DA0982 B6C26A82

7B212625 BC545294 1931B647 33A0EAA3



File: <C:\junkxxx\pjfp.dll>

CRC-32 : 00000000

GOST-Hash : 83AC8480 69D57FD4 C22EBAEA 2494AC77 75A4BDD9 493BCF39

188A415F E11EF9EE

HAVAL-5-256 : 7DF6D168 3AA36B44 8B5F6C95 177B4D73 09FFF482 F6B38EC4

2E89FEE2 9B7B89D3

MD5 : 8077C298 7B88D4D3 51B8E0E1 6D453B51

SHA-512 : 2704AD9E 68AB70BC 830D39DA 715FD031 5375A2C1 A8A844F4

AC3F271B EDDCE836 F90F5A65 63119745 71DA0982 B6C26A82

7B212625 BC545294 1931B647 33A0EAA3



File: <C:\junkxxx\sexxx.exe>

CRC-32 : 4FA1CB2F

GOST-Hash : EF5E00B7 580190F7 BE0F15E4 3440C8B1 FE648D14 4E495DDE

AE82E546 BDDA8A3E

HAVAL-5-256 : 220C7E6C 51887BEF 6A371026 475FEF25 0DDC9A61 EBEC4B45

9491E4E6 92778B53

MD5 : C27CDF4C BD1029BA 03FDE77F 7643A139

SHA-512 : 2C3915A1 6A4906DE 865D4E4A FDBF5F51 019D0C65 0843CD3A

007D5617 A0196BCB C25CB8D4 76DCFD30 461EF31B 3000DAFD

3ABF6B73 CACD5E04 D32317A3 184117CD




Wed Jun 02 17:41:16 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Back to top
View users profile Send private message
freeatlast

Security Expert
Security Expert



Joined: Feb 02, 2004
Posts: 671
Location: USA

PostPosted: Wed Jun 02, 2004 6:06 pm    Post subject:
Reply with quote

Laughing Beautiful!

Looks like your C:\junkxxx folder contains
other goddies!
I doubt my 'Find-All' had the 'magic power' to do
that, but whatever it is , all the items
included can go... Twisted Evil

We can wrap up the hijacker following these steps:

--Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks

When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker
downloaded!
Run these tools (whether used before or not!), as
they should work properly now.
have them fix all problems:
*Ad-Aware 6 Build 181:
http://www.lavasoftusa.com/software/adaware/

*Latest reference file : 01R313 02.06.2004
http://www.lavasoftsupport.com/index.php?showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181
http://www.lavahelp.com/howto/fullscan/index.html

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck Twisted Evil
Back to top
View users profile Send private message
Jerhiko

Cadet
Cadet



Joined: Jun 02, 2004
Posts: 7
Location: USA

PostPosted: Wed Jun 02, 2004 8:48 pm    Post subject:
Reply with quote

Logfile of HijackThis v1.97.7
Scan saved at 8:47:15 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Battletech\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02918035-2A93-47AA-8625-E4EC6EE57410} - C:\WINDOWS\System32\idccb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: Jadvantage - http://204.251.188.66:8080/Jadvantage.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...2296064815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Back to top
View users profile Send private message
freeatlast

Security Expert
Security Expert



Joined: Feb 02, 2004
Posts: 671
Location: USA

PostPosted: Wed Jun 02, 2004 9:07 pm    Post subject:
Reply with quote

Is this what you meant by "trouble"? Twisted Evil

Fix checked in hijackthis:

*R1 - HKCU\Software\Microsoft\
Internet Explorer\Main,HomeOldSP = about:blank

*O2 - BHO: (no name) -
{02918035-2A93-47AA-8625-E4EC6EE57410} -
C:\WINDOWS\System32\idccb.dll (file missing)

Reset your home page in IE options+restore defaults.

Well done! Cool

P.S
You're welcome and Tnx for the package, although
these items seem to be missing:(recieved main 'villain')
»»Contents of file(s) in 'junkxxx' folder:
.............................
-eiobdd.dll
-idccb.dll
-mhkihed.dll
-pjfp.dll
-sexxx.exe

Just make sure they haven't been
"transfered" elsewhere..
(e.g, Search and delete is exist)
Back to top
View users profile Send private message
Jerhiko

Cadet
Cadet



Joined: Jun 02, 2004
Posts: 7
Location: USA

PostPosted: Wed Jun 02, 2004 9:15 pm    Post subject:
Reply with quote

I am extremely greatfull for your unbelievabley fast and accurate responses. I believe my Email Scanner deleted those files as the email was
sent. I am sorry about that.
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops