1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hjt Log, Need Help!

Discussion in 'Virus & Other Malware Removal' started by smile420, Sep 1, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    TO FIX, OR NOT TO FIX. THAT IS MY QUESTION.
    posted same log yesterday; got no reply. sorry for redundancy.
    have run adware, spybot, cw shredder, now this...

    Logfile of HijackThis v1.98.2
    Scan saved at 2:44:26 PM, on 8/31/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint\Bin\LPSVS13N.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\MSSQL7\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\appsl.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE
    C:\WINDOWS\msmh.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\nicholas cantrell\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eooax.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4D567ABA-C061-F0F9-6007-B9B4A96FB412} - C:\WINDOWS\appuu32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [ePrint Service] C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE
    O4 - HKLM\..\Run: [msmh.exe] C:\WINDOWS\msmh.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://www.crsdata.net/CRSDataObject/CRSNInfo.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\rdkrdhvm.exe
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/ga...gadgets.shortcut.ShortcutGadget/LocalExec.CAB
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.crsdata.net/maps/install/mgaxctrlv60.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  3. forddude

    forddude

    Joined:
    Jul 13, 2004
    Messages:
    51
    Yeah, and read my signature.
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274

    Thats only as good as the one updating it and it doesn't give a diffinitive answer to all entries :rolleyes:
     
  5. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    These are the Current Active Services:

    APPLICATION LAYER GATEWAY SERVICE: ALG
    C:\WINDOWS\System32\alg.exe

    WINDOWS AUDIO: AudioSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    BACKGROUND INTELLIGENT TRANSFER SERVICE: BITS
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COMPUTER BROWSER: Browser
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    CRYPTOGRAPHIC SERVICES: CryptSvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    DHCP CLIENT: Dhcp
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    ERROR REPORTING SERVICE: ERSvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COM+ EVENT SYSTEM: EventSystem
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    HELP AND SUPPORT: helpsvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SERVER: lanmanserver
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WORKSTATION: lanmanworkstation
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK CONNECTIONS: Netman
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK LOCATION AWARENESS (NLA): Nla
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    REMOTE ACCESS CONNECTION MANAGER: RasMan
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TASK SCHEDULER: Schedule
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SECONDARY LOGON: seclogon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM EVENT NOTIFICATION: SENS
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SHELL HARDWARE DETECTION: ShellHWDetection
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM RESTORE SERVICE: srservice
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TELEPHONY: TapiSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TERMINAL SERVICES: TermService
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    THEMES: Themes
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DISTRIBUTED LINK TRACKING CLIENT: TrkWks
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    UPLOAD MANAGER: uploadmgr
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS TIME: w32time
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    AUTOMATIC UPDATES: wuauserv
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    WIRELESS ZERO CONFIGURATION: WZCSVC
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYMANTEC EVENT MANAGER: ccEvtMgr
    "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    DNS CLIENT: Dnscache
    C:\WINDOWS\System32\svchost.exe -k NetworkService

    EPRINT SERVICE: EPrint Service
    C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint\Bin\LPSVS13N.EXE

    EVENT LOG: Eventlog
    C:\WINDOWS\system32\services.exe

    PLUG AND PLAY: PlugPlay
    C:\WINDOWS\system32\services.exe

    KODAK CAMERA CONNECTION SOFTWARE: KodakCCS
    C:\WINDOWS\system32\drivers\KodakCCS.exe

    TCP/IP NETBIOS HELPER: LmHosts
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SSDP DISCOVERY SERVICE: SSDPSRV
    C:\WINDOWS\System32\svchost.exe -k LocalService

    WEBCLIENT: WebClient
    C:\WINDOWS\System32\svchost.exe -k LocalService

    MSSQLSERVER: MSSQLServer
    C:\MSSQL7\binn\sqlservr.exe

    NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
    "C:\Program Files\Norton AntiVirus\navapsvc.exe"

    NVIDIA DRIVER HELPER SERVICE: NVSvc
    C:\WINDOWS\System32\nvsvc32.exe

    NETWORK SECURITY SERVICE: O?’ŽrtñåȲ$Ó
    C:\WINDOWS\system32\appsl.exe /s

    PML DRIVER HPZ12: Pml Driver HPZ12
    C:\WINDOWS\System32\HPZipm12.exe

    IPSEC SERVICES: PolicyAgent
    C:\WINDOWS\System32\lsass.exe

    PROTECTED STORAGE: ProtectedStorage
    C:\WINDOWS\system32\lsass.exe

    SECURITY ACCOUNTS MANAGER: SamSs
    C:\WINDOWS\system32\lsass.exe

    REGSRVC: RegSrvc
    C:\WINDOWS\System32\RegSrvc.exe

    REMOTE PROCEDURE CALL (RPC): RpcSs
    C:\WINDOWS\system32\svchost -k rpcss

    SPECTRUM24 EVENT MONITOR: S24EventMonitor
    C:\WINDOWS\System32\S24EvMon.exe

    SCSIACCESS: ScsiAccess
    C:\WINDOWS\System32\ScsiAccess.EXE

    PRINT SPOOLER: Spooler
    C:\WINDOWS\system32\spoolsv.exe

    WMI PERFORMANCE ADAPTER: WmiApSrv
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download the tool about:Buster created by Rubber Ducky. http://www.downloads.subratam.org/AboutBuster.zip

    Unzip AboutBuster to the Desktop and have it ready to run, but don't run it yet.

    Now sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eooax.dll/sp.html#96676

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {4D567ABA-C061-F0F9-6007-B9B4A96FB412} - C:\WINDOWS\appuu32.dll

    O4 - HKLM\..\Run: [msmh.exe] C:\WINDOWS\msmh.exe

    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

    O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} (CRS Inc. Data Object) - http://www.crsdata.net/CRSDataObject/CRSNInfo.cab

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\rdkrdhvm.exe

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/ga...gadgets.shortcut.ShortcutGadget/LocalExec.CAB

    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.crsdata.net/maps/install/mgaxctrlv60.cab

    Next run aboutbuster. Again remain offline. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and save it to paste back here in your thread.

    Restart your computer and post the report from AboutBuster and a new Hijack this log.
     
  7. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    Logfile of HijackThis v1.98.2
    Scan saved at 4:58:37 PM, on 9/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint\Bin\LPSVS13N.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\MSSQL7\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\msmh.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\WINDOWS\system32\appsl.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Documents and Settings\nicholas cantrell\Desktop\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F53EC50C-1736-5E28-E668-CFFB2AA3AE8D} - C:\WINDOWS\mfckh32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [ePrint Service] C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE
    O4 - HKLM\..\Run: [msmh.exe] C:\WINDOWS\msmh.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    Scanned at: 4:53:48 PM on: 9/1/2004


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 5 Random Key Entries
    Deleted 1 Service Keys Successfully!
    Removed! : C:\WINDOWS\iptj32.exe
    Removed! : C:\WINDOWS\javakn32.exe
    Removed! : C:\WINDOWS\netaw.exe
    Removed! : C:\WINDOWS\peooa.dat
    Removed! : C:\WINDOWS\sdktr32.exe
    Removed! : C:\WINDOWS\winws.exe
    Removed! : C:\WINDOWS\System32\atlhr.exe
    Removed! : C:\WINDOWS\System32\d3jq.exe
    Removed! : C:\WINDOWS\System32\fztui.dat
    Removed! : C:\WINDOWS\System32\javatl32.exe
    Removed! : C:\WINDOWS\System32\ldvel.dat
    Removed! : C:\WINDOWS\System32\mvbyv.dat
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    -- Scan 2 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 4 Random Key Entries
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!
     
  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Rescan once again and insert a check next to each of these then close all browser windows and click "fix checked"

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {F53EC50C-1736-5E28-E668-CFFB2AA3AE8D} - C:\WINDOWS\mfckh32.dll

    O4 - HKLM\..\Run: [msmh.exe] C:\WINDOWS\msmh.exe


    Then reboot into safe mode :http://dotcomsecurity.org/forums/index.php?showtopic=55


    Open windows explorer, find then delete:
    C:\WINDOWS\msmh.exe
     
  9. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    unable to find c:\WINDOWS\msmh.exe
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  11. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    found and deleted msmh

    I'm using a different computer to talk to you guys

    changed to not show hidden files and rechecked other (recommended) box.

    then exitted safe mode and restarted. Browser still acting up.
     
  12. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Is it able to get online ? If so post a fresh hijack log.
     
  13. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    Logfile of HijackThis v1.98.2
    Scan saved at 6:09:30 PM, on 9/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint\Bin\LPSVS13N.EXE
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\MSSQL7\binn\sqlservr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\appsl.exe
    C:\WINDOWS\system32\javagg32.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\nicholas cantrell\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\alsnw.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {05A55FD0-07CB-11D2-9597-D96F9FF82934} - C:\WINDOWS\ntwy.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
    O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [ePrint Service] C:\PROGRA~1\LEADTE~1\LEADTO~1\bin\EPRINT.EXE
    O4 - HKLM\..\Run: [javagg32.exe] C:\WINDOWS\system32\javagg32.exe
    O4 - HKLM\..\RunOnce: [appsl.exe] C:\WINDOWS\system32\appsl.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
  14. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download FindnFix at the following link and extract it
    (it should autoextract to C:\FindnFix when you double click it)
    http://www.dotcomsecurity.org/downloads/FINDnFIX.exe

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run.
    It will generate a log.txt file. Copy and paste log.txt back here in your next reply.
     
  15. smile420

    smile420 Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    12
    »»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q330994-Q824145-Q832894-Q837009-Q831167-Q823353-Q867801
    The type of the file system is NTFS.
    C: is not dirty.

    Wed 09/01/2004
    6:33pm up 0 days, 0:56

    »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    C:\WINDOWS\SYSTEM32\
    alsnw.dll Thu Aug 5 2004 4:17:06a A.SH. 56,832 55.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 56,832 bytes 55.50 K

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\ALSNW.DLL
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group SMILEY\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Aug 29 2002 6:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\
    notepad.exe Thu Aug 29 2002 6:00:00a ..... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    No matches found.

    »»Dir 'junkxxx' was created with the following permissions...
    (FAT32=NA)
    Directory "C:\junkxxx"
    Permissions:
    Type Flags Inh. Mask Gen. Std. File Group or User
    ======= ======== ==== ======== ==== ==== ==== ================
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
    Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
    Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
    Allow 00000010 t--- 001F01FF ---- DSPO rw+x SMILEY\nicholas cantrell
    Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
    Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
    Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
    Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
    Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: SMILEY\nicholas cantrell

    Primary Group: SMILEY\None



    »»»»»»Backups created...»»»»»»
    6:35pm up 0 days, 0:57
    Wed 09/01/2004

    A C:\FINDnFIX\winBack.hiv
    --a-- - - - - - 8,192 09-01-2004 winback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 268 09-01-2004 winkey.reg

    »»Performing 16bit string scan....
    00001150: vk UDeviceNotSelecte
    00001190:dTimeout 1 5 ( h vk ' zGDIProce
    000011D0:ssHandleQuota" 9 0 =t vk Spooler2
    00001210: y e s _ vk 5swapdisk h
    00001250: X vk . TransmissionRetryTimeout vk
    00001290: ' b USERProcessHandleQuota3 h X
    000012D0: ( m
    00001310: m
    00001350: oRG
    00001390:h TAG _AG CG iDG
    000013D0: ( n G=
    00001410: RG X ( @
    00001450:
    00001490: RG RG RG ( @
    000014D0:h @ 8 &w &w w "
    00001510: w w w "
    00001550:

    ---------- WIN.TXT
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    Windows
    UDeviceNotSelectedTimeout
    zGDIProcessHandleQuota"
    Spooler2
    5swapdisk
    TransmissionRetryTimeout
    USERProcessHandleQuota3

    **File C:\FINDnFIX\WIN.TXT
    
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269011

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice