Results 1 to 4 of 4

Thread: FINDnFIX

  1. #1
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

    FINDnFIX

    Having issues? - Download FINDnFIX.exe from here (choose *save* not "open with"): » http://freeatlast.worldbreak.com/

    Find the FINDnFIX icon on your desktop and doubleclick and choose *extract*.This will place a new folder on your system at: C: FindnFIX which will open for you. Doubleclick on the !LOG!.batIMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

    Relax, sit back and wait a few minutes while the program collects the necessary information.



    *NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

    When the program is finished it will open Notepad and produce a log.txt file.
    »»»»»»»»»»»»»»»»»»*** freeatlast.100free.com ***»»»»»»»»»»»»»»»»
    »»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
    Due to errors on various message boards I made some changes.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    If you make a mistake or use the wrong guidance, it is completely
    your responsibility and the helper that assists you.
    If you are not sure about the nature of the file or how
    to proceed, I suggest you research it first before attempting
    to remove any *unknown file on your own.
    *For Helpers and/or users that are not familiar with any of the
    items on the scan results- I recommend using an alternative, once
    you know what to look for!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    --The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
    and is the destination for the file to be moved..
    -*Previous directions will no longer work...
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-xxxxxxxxxx-edited
    The type of the file system is NTFS.
    C: is not dirty.

    Fri 07/09/2004
    11:22am up 0 days, 0:16

    »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    C:\WINDOWS\SYSTEM32\
    nrad.dll Sat May 15 2004 8:37:30a A.S.. 139,264 136.00 K
    oem.dll Thu Mar 25 2004 6:05:30p A.S.. 53,248 52.00 K
    rad.dll Sat May 15 2004 9:09:16a A.S.. 335,872 328.00 K
    radclkr.dll Sat May 15 2004 9:13:40a A.S.. 348,160 340.00 K
    radenu.dll Sat May 15 2004 8:18:48a A.S.. 61,440 60.00 K
    radesp.dll Sat May 15 2004 8:32:20a A.S.. 61,440 60.00 K
    radexe.dll Sat May 15 2004 9:08:58a A.S.. 151,552 148.00 K
    radfra.dll Sat May 15 2004 8:33:04a A.S.. 65,536 64.00 K
    radhun.dll Sat May 15 2004 8:33:44a A.S.. 61,440 60.00 K
    radita.dll Sat May 15 2004 8:34:24a A.S.. 61,440 60.00 K
    radnlb.dll Sat May 15 2004 8:35:02a A.S.. 61,440 60.00 K
    radplk.dll Sat May 15 2004 8:35:50a A.S.. 65,536 64.00 K
    radtype.dll Sat May 1 2004 10:05:48a A.S.. 147,525 144.07 K

    13 items found: 13 files, 0 directories.
    Total of file sizes: 1,613,893 bytes 1.54 M

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\NRAD.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\OEM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RAD.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADCLKR.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADENU.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADESP.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADEXE.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADFRA.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADHUN.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADITA.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADNLB.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADPLK.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\RADTYPE.DLL

    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 478

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ apihookdll.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = apihookdll.dll
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (»www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM

    »»Member of...: (Admin logon required!)
    User is a member of group someone\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.

    »» Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...

    [SC] GetServiceKeyName FAILED 1060:

    The specified service does not exist as an installed service.

    [SC] GetServiceDisplayName FAILED 1060:

    The specified service does not exist as an installed service.


    »»Notepad check....

    C:\WINDOWS\
    notepad.exe Thu Aug 23 2001 5:00:00a A.... 66,048 64.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 66,048 bytes 64.50 K

    C:\WINDOWS\SYSTEM32\
    notepad.exe Thu Aug 23 2001 2:00:00a A.... 200,192 195.50 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 200,192 bytes 195.50 K

    No matches found.


    »»»»»»Backups created...»»»»»»
    11:25am up 0 days, 0:19
    Fri 07/09/2004

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-09-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 301 07-09-2004 winkey.reg

    C:\FINDNFIX\
    JUNKXXX Fri Jul 9 2004 11:22:34a .D...

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: ?
    00001190: Q e vk f AppInit_
    000011D0LLs G a p i h o o k d l l . d l l Ali vk
    00001210: 8 UDeviceNotSelectedTimeout 1 5 ( W 9 0
    00001250: ! vk ' zGDIProcessHandleQuota" vk
    00001290: Spooler2 y e s X
    000012D0: vk =pswapdisk vk H R Transmis
    00001310:sionRetryTimeout X @ vk '
    00001350: , USERProcessHandleQuotaSq u 3 M M H E E
    00001390:hpN P U E SVW t h0 5 E t j
    000013D0:M j QW s Ph u"3 M PPQW s Ph u E u { .
    00001410: uO 5 e E P E j P uD zu9 u j@ E P E W
    00001450:P u W u W u u u j ^ u u _^[ V
    00001490: T D$ @ F ^ V D$ t V G Y ^ @
    000014D0: > QVW j } e w j h V P M X
    00001510:_^d V D$ t V Y ^ QVW } X
    00001550:e w F h P L M 0 M _^d V
    00001590: D$ t V ^ ` ` QSV W u 3 9} }
    000015D0:t u Y Y Fx ~x h 8 p p

    ---------- WIN.TXT
    fłAppInit_DLLsÖ�ęGŲ’’’a
    --------------
    --------------
    apihookdll.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="apihookdll.dll"
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 30 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "apihookdll.dll"
    0000 61 00 70 00 69 00 68 00 6f 00 6f 00 6b 00 64 00 | a.p.i.h.o.o.k.d.
    0010 6c 00 6c 00 2e 00 64 00 6c 00 6c 00 00 00 | l.l...d.l.l...
    Last edited by lynchknot; July 9th, 2004 at 18:40 PM.

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Sorry for sounding dumb but...what does it do?

  3. #3
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    It will tell you if you have about:blank CWS trojan

  4. #4
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    ahh I see. Cool.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •