Help with this log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dishdog40, Jun 13, 2004.

  1. dishdog40

    dishdog40 Private E-2

    --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Sun 06/13/2004
    9:26p

    System Info:

    Microsoft Windows 2000 [Version 5.00.2195]
    C: "SYSTEM" (90A8:C353) - FS:NTFS clusters:512
    Total: 40 015 470 592 [37G] - Free: 35 597 092 352 [33G]


    *IE version and Service packs:
    5.51.4807.2300 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.0.2140.1 C:\WINNT\system32\notepad.exe
    5.0.2140.1 C:\WINNT\notepad.exe
    *Media Player version :

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP2;Q832894;



    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    \\?\C:\WINNT\System32\WDMNN.DLL +++ File read error
    \\?\C:\WINNT\System32\WDMNN.DLL +++ File read error


    Scanning for main Hijacker:


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0982868C-47F0-4EFB-A664-C7B0B1015808}]
    "Ignore"="online-meds.ws,prescriptions-r-us.biz,next-aisle.com,nextaisle.com,1ink.com,quickinks.com,101inks.com,spydeleter.com,paypal.com,amazon.com,spywarehelp.net,ebay.com,odysseusmarketing.com,messagebroadcaster.net,refer-a-website.com,mega-shopping.biz,searchassistant.net,essential-free-downloads.com,downloads-for-free.com,sweepstakes-hq.com,kazanon.com,world-portal.com"
    "Update"="38155"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0982868C-47F0-4EFB-A664-C7B0B1015808}\Ads]
    "[468x60]"="16"
    "[120x240]"="7"
    "[728x90]"="7"
    "[125x125]"="9"
    "[300x250]"="2"
    "[120x600]"="8"
    "[120x90]"="8"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{447160CD-ECF5-4EA2-8A8A-1F70CA363F85}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A5E7E66-06F1-4465-9BA3-94E08868959C}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{A71355E3-25E6-4946-BA30-DD4DC79D3552}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{A71355E3-25E6-4946-BA30-DD4DC79D3552}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
     
    dishdog40, Jun 13, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 13, 2004
    #2
  3. dishdog40

    dishdog40 Private E-2

    Sorry, I have the about:black stuck on my hoe page. I have read the procedure and did everything it said to do. Any help would be great!! Thanks
     
    dishdog40, Jun 13, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since you already have dllfix.exe downloaded and have already run it, I did see C:\WINNT\System32\WDMNN.DLL +++ File read error. So do the following:

    1) run start.bat again and select 2. Run Fix
    2) select 2. Run Fix without Dll Name It will be searched for Later

    It will start the fix and search for it own its own. It will complete the reset automatically.
    On windows Xp it will reboot in 15 seconds. On Windows 2000 it will ask you to reboot.
    Please do so immediatly when asked. It will rerun on bootup. After its completed on bootup it will show a log of what it found.
    Save this log where you can get at it and post it later.

    At this point run full scans with Ad-aware and and SpyBot S&D and allow them to remove what they find. Now reboot again and run CWShredder and allow it to fix anything it finds. If you do not have these programs on your PC yet get them from here: http://www.majorgeeks.com/downloads31.html before beginning this process and have them installed, UPDATED (very important), and ready to go.
    Oh yeah, also download HijaakThis. And run it after CWShredder and post HijaakThis's log.
     
    chaslang, Jun 13, 2004
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds