Jump to content


Photo

about:blank


  • Please log in to reply
9 replies to this topic

#1 maiki

maiki

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 07:28 AM

:techsupport: need help pls. startpage allways turns intp about:blank; tried adaware, spybot and fireflys link in cole“s topic without helping it.

my problem links to:
normal window: (search for..- Microsoft Internet Explorer), adress: about:blank
pop up window: adware,spyware

tyvm for helping
many greetings from austria
michael

Logfile of HijackThis v1.97.7
Scan saved at 14:19:12, on 25.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~2\B'SCLI~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programme\Microsoft Office\Office10\msoffice.exe
C:\Programme\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\maiki\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\maiki\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.utanet.at
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\maiki\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\maiki\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\maiki\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.utanet.at
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\maiki\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Programme\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE606CB8-0D4E-4C27-BE9F-B9AE1E57234A} - C:\WINDOWS\System32\mdpncb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programme\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~2\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Programme\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.utanet.at
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/do...atch/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7913.5264699074
O16 - DPF: {B2C5C996-F1B2-4373-9823-74D9072615E6} (Privat-X Client) - http://download.priv...m/px_client.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D2B6B2B-CB40-47E2-ADDA-E54FC76C6696}: NameServer = 195.96.0.4 195.70.224.45

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 07:54 AM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Boaz-K

Boaz-K

    Member

  • New Member
  • Pip
  • 1 posts

Posted 25 June 2004 - 08:02 AM

mdpncb.dll - thats the promblem.

open it in notepad and search for count.cc to check -> if result found
rename file and move to c:\temp then remove in safe mode

read http://www.spywarein...showtopic=10050

regards
Boaz

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 08:11 AM

mdpncb.dll - thats the promblem.

open it in notepad and search for count.cc to check -> if result found

Won't work, save your efforts! ;)

The 'visible' BHO is not the Wide-system hook hijacker, but another file...

http://www.spywarein...wtopic=9653&hl=
http://www.spywarein...wtopic=9002&hl=

Different procedure each time .........
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 maiki

maiki

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 08:13 AM

:wave:

ty for helping me

here are the results



Microsoft Windows XP [Version 5.1.2600]
Der Typ des Dateisystems ist NTFS.
C: ist nicht fehlerhaft.

25.06.2004
3:03pm up 0 days, 1:09
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***Attention!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

╗╗Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\MSL.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSL.DLL +++ File read error
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
╗╗╗Special 'locked' files scan in 'System32'........
**File C:\FINDnFIX\LIST.TXT
MSL.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

C:\WINDOWS\SYSTEM32\
msl.dll Thu 24 Jun 2004 10:00:48 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K

No matches found.

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\MSL.DLL
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITÄT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITÄT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read VORDEFINIERT\Benutzer
Full access VORDEFINIERT\Administratoren
Full access NT-AUTORITÄT\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group WEST\Kein.
User is a member of group \Jeder.
User is a member of group VORDEFINIERT\Administratoren.
User is a member of group VORDEFINIERT\Benutzer.
User is a member of group \LOKAL.
User is a member of group NT-AUTORIT─T\INTERAKTIV.
User is a member of group NT-AUTORIT─T\Authentifizierte Benutzer.

╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x VORDEFINIERT\Administratoren
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT-AUTORIT─T\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x WEST\maiki
Allow 0000000B -co- 10000000 ---A ---- ---- \ERSTELLER-BESITZER
Allow 00000003 tco- 001200A9 ---- -S-- r--x VORDEFINIERT\Benutzer
Allow 00000002 tc-- 00000004 ---- ---- --+- VORDEFINIERT\Benutzer
Allow 00000002 tc-- 00000002 ---- ---- -w-- VORDEFINIERT\Benutzer

Owner: WEST\maiki

Primary Group: WEST\Kein



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
3:04pm up 0 days, 1:09
25.06.2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-25-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-25-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
fØAppInit_DLLsĶģµG
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
Hijacked
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
=pswapdisk
TransmissionRetryTimeout
VUSERProcessHandleQuota

**File C:\FINDnFIX\WIN.TXT
regf

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 08:26 AM

Well done! :D
Your bad file is positively identified on all counts!
This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder!
- Locate the "MOVEit.bat" file,Right-Click on it,select->edit:
The file will open as empty text file.
-Copy and paste the entire hilited line in the following quote box
(all one line) into that blank 'MOVEit' file:

move %WinDir%\System32\MSL.DLL %SystemDrive%\junkxxx\MSL.DLL


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!
=====================================
*Note:
Some users are not able to edit the "MOVEit.bat" file .
'Only'-- If you get any error message (as file not found,etc)
Stop there and Use these alternate steps , instead:

-Proceed to run the FINDnFIX\Keys1\"FIX.bat" file
and allow the prompt to restart your computer.

-On restart, manually navigate to System32 folder,
locate the "MSL.DLL"
file (as it will be 'visible',) and use the folder's top menu:
edit>move to folder...
Select the "MSL.DLL" and move it to the
C:\junkxxx folder that was created.
Follow up by running the C:\FINDnFIX\"RESTORE.bat"<- file.

You only need to follow one step or another. not both.

However, upon completion of either step, post the output! (log1.txt)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 maiki

maiki

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 08:34 AM

:wtf:

it seems that i am too dump for this ...

when i right-click the movit.bat icon it says "cant find movit.bat ...."

can u help me with this ?

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 08:38 AM

=====================================
*Note:
Some users are not able to edit the "MOVEit.bat" file .
'Only'-- If you get any error message (as file not found,etc)
Stop there and Use these alternate steps , instead:

-Proceed to run the FINDnFIX\Keys1\"FIX.bat"<- file
and allow the prompt to restart your computer.

-On restart, manually navigate to System32 folder,
locate the "MSL.DLL"
file (as it will be 'visible',) and use the folder's top menu:
edit>move to folder...
Select the "MSL.DLL" and move it to the
C:\junkxxx folder that was created.
Follow up by running the C:\FINDnFIX\"RESTORE.bat"<- file.


..................post the output! (log1.txt)

Already replied! :D
Follow steps above, , instead.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 maiki

maiki

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 June 2004 - 09:01 AM

i missed that one, ... sorry. :whistle:

heres the log:


25.06.2004
3:57pm up 0 days, 0:08

Microsoft Windows XP [Version 5.1.2600]
Der Typ des Dateisystems ist NTFS.
C: ist nicht fehlerhaft.

*Locked files...
* result\\?\C:\junkxxx\MSL.DLL

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

C:\JUNKXXX\
msl.dll Thu 24 Jun 2004 10:00:48 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\MSL.DLL


Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
Searching ==>C:\JUNKXXX\MSL.DLL
Run Time(sec) 0
**File C:\JUNKXXX\MSL.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.



-ra-- W32i - - - - 57,344 06-24-2004 msl.dll
A R C:\junkxxx\msl.dll
File: <C:\junkxxx\msl.dll>
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249


»»Permissions:
C:\junkxxx\msl.dll VORDEFINIERT\Administratoren:F
NT-AUTORITŽT\SYSTEM:F
WEST\maiki:F
VORDEFINIERT\Benutzer:R

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x VORDEFINIERT\Administratoren
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT-AUTORITÄT\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x WEST\maiki
Allow 0000000B -co- 10000000 ---A ---- ---- \ERSTELLER-BESITZER
Allow 00000003 tco- 001200A9 ---- -S-- r--x VORDEFINIERT\Benutzer
Allow 00000002 tc-- 00000004 ---- ---- --+- VORDEFINIERT\Benutzer
Allow 00000002 tc-- 00000002 ---- ---- -w-- VORDEFINIERT\Benutzer

Owner: WEST\maiki

Primary Group: WEST\Kein

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x VORDEFINIERT\Administratoren
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT-AUTORITÄT\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \ERSTELLER-BESITZER
Allow 00000003 tco- 001200A9 ---- -S-- r--x VORDEFINIERT\Benutzer
Allow 00000002 tc-- 00000004 ---- ---- --+- VORDEFINIERT\Benutzer
Allow 0000000A -c-- 00000002 ---- ---- -w-- VORDEFINIERT\Benutzer
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Jeder

Owner: VORDEFINIERT\Administratoren

Primary Group: NT-AUTORITÄT\SYSTEM

File "C:\junkxxx\msl.dll"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x VORDEFINIERT\Administratoren
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT-AUTORITÄT\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x WEST\maiki
Allow 00000010 t--- 001200A9 ---- -S-- r--x VORDEFINIERT\Benutzer

Owner: WEST\maiki

Primary Group: WEST\Kein


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read VORDEFINIERT\Benutzer
Full access VORDEFINIERT\Administratoren
Full access NT-AUTORITŽT\SYSTEM



---------- WIN.TXT
fłAppInit_DLLsÖ?ęG

---------- NEWWIN.TXT
fłAppInit_DLLsÖ?ęGų

**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
000012F8: 01 00 00 00 01 00 66 F9 . 5F 44 4C 4C 73 D6 8D E6 ......fł _DLLsÖ?ę
**File C:\FINDnFIX\NEWWIN.TXT
regf

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 09:06 AM

:thumbsup: Great progress! :thumbsup:

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, Delete and entire 'FINDnFIX' file+folder(s)
From C:\


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular, CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button