Hej
Du er godt nok udholdende, tak for det. Programmet savnede notepad, så jeg brugte et andet program istedet, det gør vel ikke noget?
»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»
Microsoft Windows XP [version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
Filsystemtypen er NTFS.
C: er ikke ‘ndret.
Wed 21 Jul 04 22:53:42
10:53pm up 0 days, 2:02
»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!
The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/21)»»»»»»»»»»»»»»»»
»»»*»»»*Use at your own risk!»»»*»»»*
Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...
C:\WINDOWS\System32\SQLMI.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLMI.DLL +++ File read error
»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
SQLMI.DLL Can't Open!
»»»»» (*3*) »»»»»........
No matches found.
unknown/hidden files...
No matches found.
»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... SQLMI.DLL .....57344 02.07.2004
»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINDOWS\SYSTEM32\SQLMI.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...
C:\WINDOWS\SYSTEM32\
sqlmi.dll Fri 2 Jul 2004 0.06.28 ..... 57.344 56,00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
No matches found.
No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Sniffed -> C:\WINDOWS\SYSTEM32\SQLMI.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 508
»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\sqlmi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = C:\WINDOWS\System32\sqlmi.dll
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
»»Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Brugere
(ID-IO) ALLOW Read BUILTIN\Brugere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Brugere
Full access BUILTIN\Administratorer
Full access NT AUTHORITY\SYSTEM
»»Member of...: (Admin logon required!)
User is a member of group D1X54Q0J\Ingen.
User is a member of group \Alle.
User is a member of group BUILTIN\Administratorer.
User is a member of group BUILTIN\Brugere.
User is a member of group \LOKAL.
User is a member of group NT AUTHORITY\INTERAKTIV.
User is a member of group NT AUTHORITY\Godkendte brugere.
»»»»»»Backups created...»»»»»»
10:54pm up 0 days, 2:03
Wed 21 Jul 04 22:54:49
A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-21-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 319 07-21-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_
C:\FINDNFIX\
JUNKXXX Wed 21 Jul 2004 22.53.40 .D... <Dir>
1 item found: 0 files, 1 directory.
»»Performing string scan....
00001150: vk < f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ s q l m i . d l l
000011D0: h vk UDeviceNotSelectedTimeout 1 5
00001210: 9 0 | . vk ' zGDIProcessHandle
00001250:Quota" vk x Spooler2 y e s n h
00001290: ( X vk swapdisk vk
000012D0: TransmissionRetryTimeout h ( X
00001310: vk ' USERProcessHandleQuota A
00001350:
00001390: v @
000013D0: C:\WINDOWS\System32\MSVCP60.dll
00001410:
00001450:
00001490:
000014D0: w 0 @ C:\WINDOWS\system32\MSVCRT.dll
00001510:
00001550:
00001590:
000015D0: w
---------- WIN.TXT
fùAppInit_DLLsÖæGÀÿÿÿC
--------------
--------------
$01180: AppInit_DLLs
$011EF: UDeviceNotSelectedTimeout
$0123F: zGDIProcessHandleQuota
$012D8: TransmissionRetryTimeout
$01328: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\sqlmi.dll
--------------
--------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\sqlmi.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.
[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\sqlmi.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 73 00 71 00 6c 00 6d 00 | m.3.2.\.s.q.l.m.
0030 69 00 2e 00 64 00 6c 00 6c 00 00 00 | i...d.l.l...
mvh Anders