Hijack This log - I'm infected with "Home Search Assistent"
-
Re: Hijack This log - I'm infected with "Home Search Assistent"
Restart Hijack This and put a checkmark next to the following entries, its not gone yet 
. Looks like we might need another FindNFix log. Instructions are in this thread:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
Click Fix Checked
Post a FindNFix log.
-
Thanks for your help, Owen.
Here are some items that may or may not be relevant:
When I fix the two "about:blank" entries, they are removed from the Hijack This log, but if I run IE again, they come right back. (And the home page is hijacked).
While running FindNFix just now, Norton popped up and said it detected and removed virus "Trojan.StartPage".
I notice in the FindNFix log that it does a "Notepad check". When this ordeal began, I discovered that Notepad had disappeared, and I recovered it from my desktop PC and copied it to the infected laptop.
Now, on with the FindNFix log.......
*** freeatlast100.100free.com ***
Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q822925-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.
Sat 07/10/2004
11:28pm up 0 days, 0:02
***LOG!***
Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...
C:\WINDOWS\System32\WINHL.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINHL.DLL +++ File read error
(*2*) ........
**File C:\FINDnFIX\LIST.TXT
WINHL.DLL Can't Open!
(*3*) ........
C:\WINDOWS\SYSTEM32\
winhl.dll Tue Jun 29 2004 1:02:00p A...R 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
unknown/hidden files...
C:\WINDOWS\SYSTEM32\
apidd32.dll Fri May 21 2004 2:12:36a A.SH. 0 0.00 K
sdkqf32.dll Thu May 6 2004 10:23:20a A.SH. 0 0.00 K
ybhff.dll Mon Jun 7 2004 5:34:26a A.SH. 0 0.00 K
3 items found: 3 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K
(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\APIDD32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SDKQF32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WINHL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\YBHFF.DLL
(*5*)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
Access denied ..................... WINHL.DLL .....57344 29.06.2004
*********
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448
Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Member of...: (Admin logon required!)
User is a member of group JARED\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...
[SC] GetServiceKeyName FAILED 1060:
The specified service does not exist as an installed service.
[SC] GetServiceDisplayName FAILED 1060:
The specified service does not exist as an installed service.
Notepad check....
C:\WINDOWS\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
C:\WINDOWS\SYSTEM32\
notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-29-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.
VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JARED\Jared Fox
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: JARED\Jared Fox
Primary Group: JARED\None
Backups created...
11:30pm up 0 days, 0:04
Sat 07/10/2004
A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-10-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-10-2004 winkey.reg
Performing string scan....
00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' i USERProcessHandleQuotai 8
00001310:h vk < H ~ AppInit_DLLs q~ C :
00001350:\ W I N D O W S \ S y s t e m 3 2 \ w i n h l . d l l x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
---------- WIN.TXT
AppInit_DLLsq~
--------------
yes
C:\WINDOWS\System32\winhl.dll
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""
**File C:\FINDnFIX\WIN.TXT
� ��� � �� � � �� �� vk� � � � � UDeviceNotSelectedTimeout1 5 � @�� � � vk� � �' � � �zGDIProcessHandleQuota"�9 0 � | vk� � X� � � Spooler2y e s n� vk� � � � =pswapdisk� � � 8� h� *� vk� � (� � � RTransmissionRetryTimeoutvk� � �' � � i USERProcessHandleQuotai � � 8� h� *� � � vk� < H� � � ~ AppInit_DLLsq~ C : \ W I N D O W S \ S y s t e m 3 2 \ w i n h l . d l l x�
�
-
*Get ready to restart:
- DoubleClick on the "FIX.bat" file in the 'FINDnFIX' folder.
-Wait for the popup -Alert to restart your computer in 15 seconds.
On restart, navigate to System32 folder:
-Locate and select the "WINHL.DLL" file (as it will be visible)
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move
the "WINHL.DLL" there.
--------------------------------------------------------------
Run the "RESTORE.bat", file , wait for
and post the 'log1.txt' file!
-
Here's the log you requested....
*** freeatlast100.100free.com ***
Sun 07/11/2004
11:13pm up 0 days, 0:06
Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q822925-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.
***LOG1!***
Scanning for file(s) in System32...
(1)
(2)
**File C:\FINDnFIX\LIST.TXT
(3)
No matches found.
C:\WINDOWS\SYSTEM32\
apidd32.dll Fri May 21 2004 2:12:36a A.SH. 0 0.00 K
sdkqf32.dll Thu May 6 2004 10:23:20a A.SH. 0 0.00 K
ybhff.dll Mon Jun 7 2004 5:34:26a A.SH. 0 0.00 K
3 items found: 3 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K
(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\APIDD32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SDKQF32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\YBHFF.DLL
(5)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
* Scanning for moved file... *
* result\\?\C:\JUNKXXX\WINHL.222
C:\JUNKXXX\
winhl.222 Tue Jun 29 2004 1:02:00p A.... 57,344 56.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\JUNKXXX\WINHL.222
**File C:\JUNKXXX\WINHL.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......
A----- WINHL .222 0000E000 13:02.00 29/06/2004
rem replace this entire line with your given command...
--a-- W32i - - - - 57,344 06-29-2004 winhl.222
A C:\junkxxx\winhl.222
File: <C:\junkxxx\winhl.222>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
Permissions:
C:\junkxxx\winhl.222 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
JARED\Jared Fox:F
BUILTIN\Users:R
Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JARED\Jared Fox
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Owner: JARED\Jared Fox
Primary Group: JARED\None
Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone
Owner: BUILTIN\Administrators
Primary Group: BUILTIN\Administrators
File "C:\junkxxx\winhl.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JARED\Jared Fox
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Owner: JARED\Jared Fox
Primary Group: JARED\None
Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =
Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Notepad check....
C:\WINDOWS\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
C:\WINDOWS\SYSTEM32\
notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-29-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.
VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000
00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' i USERProcessHandleQuotai 8
00001310:h vk S AppInit_DLLsecte
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
---------- WIN.TXT
AppInit_DLLsq~
---------- NEWWIN.TXT
AppInit_DLLsecte�
--------------
yes
**File C:\FINDnFIX\NEWWIN.TXT
� ��� � �� � � �� ��
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 53 00 . 5F 44 4C 4C 73 65 63 74 ......S. _DLLsect
**File C:\FINDnFIX\NEWWIN.TXT
� ��� � �� � � �� �� vk� � � � � UDeviceNotSelectedTimeout1 5 � @�� � � vk� � �' � � �zGDIProcessHandleQuota"�9 0 � | vk� � X� � � Spooler2y e s n� vk� � � � =pswapdisk� � � 8� h� *� vk� � (� � � RTransmissionRetryTimeoutvk� � �' � � i USERProcessHandleQuotai � � 8� h� *� � � vk� � � � S AppInit_DLLsecte�
-
To anyone who came here via http://freeatlast100.100free.com/FINDnFIX%20changes.htm the techs here are doing there best to help others and to an excellent job, which is more than I can say for some people like the idiot that posted that message on his site.
-
I'm not sure that last message was intended for me.
1. I had nothing to do with the idiot who complained about the speed of his free support.
2. I am not having a problem with a slow laptop. I am having a problem with my browser being hijacked.
Thanks,
Rick.
-
It wasn't intended for you 
