1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

FindnFix log...identified entry advice

Discussion in 'Virus & Other Malware Removal' started by amthmi, Sep 6, 2004.

Thread Status:
Not open for further replies.
  1. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    I was following this thread
    http://forums.techguy.org/t270608.html

    While I was checking something I decided to run FindnFix.
    I've read the log that it generates before so I'm kinda familiar with it.

    I saw this entry and it made me concern about what it might be.

    termsrv.dll appears to be a microsoft file for Terminal Server Service
    installed with sp2.
    So I thought ok... then why is it identified ?

    Any thoughts ?

    The edit from the log is below:

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    termsrv.dll Wed Aug 4 2004 12:56:48a A...R 295,424 288.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 295,424 bytes 288.50 K

    -------------------------------------------------
    The entire log...



    »»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2900.2180 SP2
    The type of the file system is FAT32.
    C: is not dirty.

    Mon 06 Sep 04 20:09:44
    8:09pm up 1 day, 2:39

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided should help narrow down the list, and hopefully
    pinpoint the culprit.
    Along with that,registry scan logged at the end should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
    »»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/25)»»»»»»»»»»»»»»»»

    »»»*»»»*Use at your own risk!»»»*»»»*

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    termsrv.dll Wed Aug 4 2004 12:56:48a A...R 295,424 288.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 295,424 bytes 288.50 K

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\TERMSRV.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»»»(*6*)»»»»»

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    C:\WINDOWS\SYSTEM32\
    dpwsockx.dll Wed Aug 4 2004 12:56:44a A.... 57,344 56.00 K
    msasn1.dll Wed Aug 4 2004 12:56:44a A.... 57,344 56.00 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 114,688 bytes 112.00 K

    C:\WINDOWS\SYSTEM32\
    dmloader.dll Wed Aug 4 2004 12:56:44a A.... 35,840 35.00 K
    imgutil.dll Wed Aug 4 2004 12:56:44a A.... 35,840 35.00 K
    umandlg.dll Wed Aug 4 2004 12:56:48a A.... 35,840 35.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 107,520 bytes 105.00 K

    C:\WINDOWS\SYSTEM32\
    dpvacm.dll Wed Aug 4 2004 12:56:44a A.... 21,504 21.00 K
    feclient.dll Wed Aug 4 2004 12:56:44a A.... 21,504 21.00 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 43,008 bytes 42.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs =
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group AMTHMI\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.


    »»»»»»Backups created...»»»»»»
    8:11pm up 1 day, 2:41
    Mon 06 Sep 04 20:11:54

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 09-06-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 287 09-06-2004 winkey.reg
    *Temp backups...
    .
    ..
    keyback2.hi_
    winkey2.re_


    C:\FINDNFIX\
    JUNKXXX Mon Sep 6 2004 8:09:44p .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: ?
    00001190: vk f AppInit_
    000011D0:DLLs G vk UDeviceNotSelectedTimeout
    00001210: 1 5 ( W 9 0 ! vk ' zGDIProce
    00001250:ssHandleQuota" vk Spooler2 y e s
    00001290: 0 ` vk =pswapdisk vk
    000012D0: R TransmissionRetryTimeout 0 `
    00001310: vk ' 6 USERProcessHandleQuota6
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLs֍æG
    --------------
    --------------
    $011C8: AppInit_DLLs
    $011F7: UDeviceNotSelectedTimeout
    $01247: zGDIProcessHandleQuota
    $012E0: TransmissionRetryTimeout
    $01330: USERProcessHandleQuota6
    --------------
    --------------
    No strings found.

    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : ""
    0000 00 00 | ..
    
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - FindnFix identified entry
  1. lionheart77
    Replies:
    17
    Views:
    1,389
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271014

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice