Jump to content


Photo

ABOUT:BLANK


  • This topic is locked This topic is locked
21 replies to this topic

#1 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 May 2004 - 11:49 AM

I used spybot search & destroy, and its up to date. Spybot cleared everything its able to do. Then I used CWShredder and it removed this other problem i was having. But this morning when i clicked on internet explorer to surf the internet. Now my homepage was getting redirecting to about:blank. CWShredder removes CWS.SEARCH but it returns every time. Now i used HijackThis, but im hoping the experts can tell me what I can safely remove. Thank you for your help.

Logfile of HijackThis v1.97.7
Scan saved at 8:24:06 AM, on 12/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Mike.JOHNMIKE\My Documents\clip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msiets.dll//iemenu
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7571.6412037037
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#2 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 May 2004 - 05:34 PM

sdfsdfs

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 20 May 2004 - 06:56 PM

In hijackthis fix checked:

*R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
*O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
*O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
*O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msiets.dll//iemenu

Restart computer, find and delete the 'MSIETS' folder
In \Program Files\Common Files\ subfolder.

When done, Go here:
http://www10.brinkst...last/pvtool.htm
Download:
-'Find-All.zip'
-'Salamand.Zip'

Download, install and run:
Registrar Lite

First,
Run reglite, copy and paste this key to the
address bar, hit 'go' tab:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

DoubleClick on 'AppInit_Dlls' value on the
right side, copy and paste here the following fields:
-Size
-Value

Next, *UNzip the 'Find-All' folder.
DoubleClick on the 'Find-All.bat' file inside.
Follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 May 2004 - 04:14 PM

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--


Sun Dec 28 13:11:13 2003 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18A3:F328) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 4 030 664 704 [3.8G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
1:11pm up 0 days, 0:57

*Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error


*Tasks (services):
0 System Process
4 System
508 smss.exe
564 CSRSS.EXE Title:
588 winlogon.exe Title: NetDDE Agent
648 SERVICES.EXE Svcs: Eventlog,PlugPlay
660 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
860 SVCHOST.EXE Svcs: RpcSs
924 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWk
,uploadmgr,w
1112 SVCHOST.EXE Svcs: Dnscache
1132 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1540 SPOOLSV.EXE Svcs: Spooler
1652 alg.exe Svcs: ALG
1680 ccEvtMgr.exe Svcs: ccEvtMgr
1708 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1772 Navapsvc.exe Svcs: navapsvc
1868 NISUM.EXE Svcs: NISUM
1964 nvsvc32.exe Svcs: NVSvc
232 snmp.exe Svcs: SNMP
272 SVCHOST.EXE Svcs: stisvc
548 CCPXYSVC.EXE Svcs: ccPxySvc
268 devldr32.exe Title: DEVLDR
692 explorer.exe Title: Program Manager
1000 LVComS.exe Title: LVComSWnd
2040 ccApp.exe Title:
1344 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
2840 iexplore.exe Title: SWI Forums -> ABOUT:BLANK - Microsoft Internet Explorer
3672 YPager.exe Title:
948 rl.exe Title: Registrar
2920 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
1228 ntvdm.exe
1816 msmsgs.exe Title:
2684 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs -Size -Value"="C:\\WINDOWS\\System32\\wdmb.dll"
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDF882E4-A1DA-40BF-A7B3-7FAD37C00BEA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{60D4CB08-4CD8-45D2-8D86-0A1988EEA865}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{60D4CB08-4CD8-45D2-8D86-0A1988EEA865}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]

Sun Dec 28 13:11:18 2003 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 06:10 PM

Follow the reglite steps per my previous post.

Paste the same key to the address bar,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-DoubleClick "AppInit_DLLs" value on the right pane,
and clear the data value:
C:\WINDOWS\System32\WDMB.DLL -< delete this line ,
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

-Search for this file:
C:\WINDOWS\System32\WDMB.DLL <
Try to delete it, expect to get access denied! (for now)

-Run 'Find-All.bat' again and post the log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 May 2004 - 05:58 AM

THANKS FOR YOUR HELP

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--


Mon Dec 29 02:56:16 2003 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18A3:F328) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 4 030 533 632 [3.8G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
2:56am up 0 days, 0:04

*Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error


*Tasks (services):
0 System Process
4 System
508 smss.exe
564 CSRSS.EXE Title:
588 winlogon.exe Title: NetDDE Agent
632 SERVICES.EXE Svcs: Eventlog,PlugPlay
644 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
816 SVCHOST.EXE Svcs: RpcSs
872 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWk
,uploadmgr,w
1032 SVCHOST.EXE Svcs: Dnscache
1060 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1184 SPOOLSV.EXE Svcs: Spooler
1520 alg.exe Svcs: ALG
1532 ccEvtMgr.exe Svcs: ccEvtMgr
1552 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1588 Navapsvc.exe Svcs: navapsvc
1616 NISUM.EXE Svcs: NISUM
1728 nvsvc32.exe Svcs: NVSvc
1812 snmp.exe Svcs: SNMP
1844 SVCHOST.EXE Svcs: stisvc
416 CCPXYSVC.EXE Svcs: ccPxySvc
1040 explorer.exe Title: Program Manager
1400 devldr32.exe Title: DEVLDR
1420 LVComS.exe Title: LVComSWnd
1460 ccApp.exe Title: Norton AntiVirus
1684 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
2540 msmsgs.exe Title:
2808 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2840 ntvdm.exe
2980 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs -Size -Value"="C:\\WINDOWS\\System32\\wdmb.dll"
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E1D1FB1-3A19-4993-85BB-FB98C0C26803}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access JOHNMIKE\Mike
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access JOHNMIKE\Mike


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]

Mon Dec 29 02:56:18 2003 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#7 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 May 2004 - 06:14 AM

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--


Mon Dec 29 02:56:16 2003 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18A3:F328) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 4 030 533 632 [3.8G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
2:56am up 0 days, 0:04

*Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error


*Tasks (services):
0 System Process
4 System
508 smss.exe
564 CSRSS.EXE Title:
588 winlogon.exe Title: NetDDE Agent
632 SERVICES.EXE Svcs: Eventlog,PlugPlay
644 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
816 SVCHOST.EXE Svcs: RpcSs
872 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWk
,uploadmgr,w
1032 SVCHOST.EXE Svcs: Dnscache
1060 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1184 SPOOLSV.EXE Svcs: Spooler
1520 alg.exe Svcs: ALG
1532 ccEvtMgr.exe Svcs: ccEvtMgr
1552 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1588 Navapsvc.exe Svcs: navapsvc
1616 NISUM.EXE Svcs: NISUM
1728 nvsvc32.exe Svcs: NVSvc
1812 snmp.exe Svcs: SNMP
1844 SVCHOST.EXE Svcs: stisvc
416 CCPXYSVC.EXE Svcs: ccPxySvc
1040 explorer.exe Title: Program Manager
1400 devldr32.exe Title: DEVLDR
1420 LVComS.exe Title: LVComSWnd
1460 ccApp.exe Title: Norton AntiVirus
1684 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
2540 msmsgs.exe Title:
2808 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2840 ntvdm.exe
2980 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs -Size -Value"="C:\\WINDOWS\\System32\\wdmb.dll"
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E1D1FB1-3A19-4993-85BB-FB98C0C26803}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access JOHNMIKE\Mike
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access JOHNMIKE\Mike


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]

Mon Dec 29 02:56:18 2003 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 06:02 PM

First, Download the 'Find-All' package again. I changed something.
Be sure to unzip it first!

Next,
Open the subfolder "Tools" inside Find-All folder.
DoubleClick (once) on the "Xfix.bat" file inside.
Nothing would appear to happen but it should
create a folder (junk) in your root drive,
&restore/clean registry keys.

Navigate to System32, find: WDMB.DLL, hilite
and use the folder's top menu
option : "edit-> move to folder..."
Browse to and select: C:\junk folder.
'ok' it.
Re-run Find-All.bat and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 24 May 2004 - 01:07 AM

I have several problems. When I click on xfix.bat file it states error: access is denied, and it didn't create a folder named junk. Now I can't find wdmb.dll.

#10 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 24 May 2004 - 01:27 AM

I checked again and I do have a folder under c:junk. The folder is empty. The problem now is I can't find WDMB.DLL I used the search option to search my whole C drive, but I was unable to find WDMB.DLL.

#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 May 2004 - 01:37 AM

Ok, repeat the reglite steps and check whether
the data you had to delete is back in the same key.
Post back which size and value
are listed in the data editor for 'AppInit_DLLs'.

Delete the 'Find-All' folder and
download the newer version from here:
http://freeatlast.10...om/Find-All.zip

Unzip, DoubleClick on the 'Find-All.cmd' file and
post the ouput when done!

I,m not sure you actually performed the steps as decribed:

"AppInit_DLLs -Size -Value"="C:\\WINDOWS\\System32\\wdmb.dll"
"AppInit_DLLs"=""

Means you didn't rename the Windows, but the AppInit value, instead.
I suggest you scroll back , re-read the steps and repeat.
Post the find-all log when done.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 24 May 2004 - 01:52 AM

Do this:
-Run reglite

Paste the same key to the address bar,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

You RightClick in order to rename!

On the Right pane, find both of these:
*-"AppInit_DLLs -Size -Value"="
*-"AppInit_DLLs"=""

RightClick on each of the values above
and select "delete" from reglite's
context menu!

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

-Check in reglite again, in the same key
that no 'AppInit_Dlls' entry is listed.

Run "Find-All.cmd" and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 May 2004 - 08:04 AM

I can delete AppInit_DLLs -Size -Value but i cant delete AppInit_DLLs. Man this is taking for ever. Thanks for still helping me freeatlast. Im hoping to be freeatlast of this problem. lol

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 08:25 AM

Since you're still around we'd have to start all over.

Download the latest 'Find-All' package again here:

http://freeatlast.10...om/Find-All.zip

Unzip, DoubleClick on the "Find-All.CMD" file and post the log.

EDIT:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

  --==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--


Mon **Dec 29 02:56:16 2003 -- Results:
*System Info:


Considering your PC clock is wrong, I'm not sure what can be done!
This was the date listed on your last log!
And the same date in hijackthis log!

If that's some special *patch, get rid of it and
restore normal windows routines, if you really
want to resolve other problems.

Edited by freeatlast, 25 May 2004 - 08:34 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 May 2004 - 02:53 PM

Wow!!! Thats cool how you noticed the date and time. LOL Well regarding the time. I think my battery is dying. It keeps losing time even after I've set it several times. I think the reason my computer got infected was because I let other people get on. Im glad you're still helping me, too. thanks Thats scary stuff how the logs reveals everything. lol

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Tue May 25 12:46:07 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18A3:F328) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 3 816 722 432 [3.6G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
12:46am up 0 days, 6:50

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDMB.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
508 smss.exe
564 CSRSS.EXE Title:
588 winlogon.exe Title: NetDDE Agent
652 SERVICES.EXE Svcs: Eventlog,PlugPlay
664 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
860 SVCHOST.EXE Svcs: RpcSs
928 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWk
,uploadmgr,w
1060 SVCHOST.EXE Svcs: Dnscache
1128 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1320 SPOOLSV.EXE Svcs: Spooler
1660 alg.exe Svcs: ALG
1688 ccEvtMgr.exe Svcs: ccEvtMgr
1716 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1780 Navapsvc.exe Svcs: navapsvc
1876 NISUM.EXE Svcs: NISUM
1972 nvsvc32.exe Svcs: NVSvc
196 snmp.exe Svcs: SNMP
276 SVCHOST.EXE Svcs: stisvc
1072 CCPXYSVC.EXE Svcs: ccPxySvc
1476 devldr32.exe Title: DEVLDR
1496 explorer.exe Title: Program Manager
208 LVComS.exe Title: LVComSWnd
304 ccApp.exe Title:
876 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
2188 mirc.exe Title: mIRC
908 mmjb.exe Title: MUSICMATCH Jukebox
3944 mmdiag.exe Title:
536 iexplore.exe Title: SWI Forums -> ABOUT:BLANK - Microsoft Internet Explorer
3480 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3860 ntvdm.exe
3488 msmsgs.exe Title:
2988 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""
@="C:\\WINDOWS\\System32\\wdmb.dll"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E1D1FB1-3A19-4993-85BB-FB98C0C26803}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access JOHNMIKE\Mike
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access JOHNMIKE\Mike



»»Group settings:
Microsoft ® Windows ® 2000 Operating System Group Policy Result tool
Copyright © Microsoft Corp. 1981-1999


Created on Tuesday, May 25, 2004 at 12:46:11 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 1
Terminal Server Mode: Not supported

###############################################################

Computer Group Policy results for:



Domain Name:
Domain Type: Windows NT v4


The computer is a member of the following security groups:


###############################################################

Failed to open key with 2


User: [JOHNMIKE\Mike], is a member of:

BUILTIN\Administrators
\Everyone

»»ACLs list:
C:\junk BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
JOHNMIKE\Mike:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 12:46:13 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 03:11 PM

Ok, arion, follow these steps now, and
don't use reglite on this one!

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ WDMB.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junk folder.
(It was created during first 'Find-All' run)
'ok' it.

--Re-run Find-All.cmd and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 May 2004 - 09:28 AM

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Wed May 26 07:25:52 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18A3:F328) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 3 632 181 248 [3.4G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
7:25am up 0 days, 0:11

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junk\WDMB.DLL


»»Tasks (services):
0 System Process
4 System
500 smss.exe
564 CSRSS.EXE Title:
588 winlogon.exe Title: NetDDE Agent
632 SERVICES.EXE Svcs: Eventlog,PlugPlay
644 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
816 SVCHOST.EXE Svcs: RpcSs
872 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo
on,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWk
,uploadmgr,w
1036 SVCHOST.EXE Svcs: Dnscache
1060 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1196 SPOOLSV.EXE Svcs: Spooler
1512 alg.exe Svcs: ALG
1524 ccEvtMgr.exe Svcs: ccEvtMgr
1544 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1580 Navapsvc.exe Svcs: navapsvc
1616 NISUM.EXE Svcs: NISUM
1720 nvsvc32.exe Svcs: NVSvc
1812 snmp.exe Svcs: SNMP
1852 SVCHOST.EXE Svcs: stisvc
408 CCPXYSVC.EXE Svcs: ccPxySvc
1148 explorer.exe Title: Program Manager
1452 devldr32.exe Title: DEVLDR
1492 LVComS.exe Title: LVComSWnd
1696 ccApp.exe Title: Norton AntiVirus
1792 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor
2344 iexplore.exe Title: SWI Forums -> ABOUT:BLANK - Microsoft Internet Explorer
1316 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
272 ntvdm.exe
1140 msmsgs.exe Title:
2284 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
@="C:\\WINDOWS\\System32\\wdmb.dll"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E1D1FB1-3A19-4993-85BB-FB98C0C26803}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D9691070-DE69-447F-931D-6F5951336021}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access JOHNMIKE\Mike
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access JOHNMIKE\Mike



»»Group settings:
Microsoft ® Windows ® 2000 Operating System Group Policy Result tool
Copyright © Microsoft Corp. 1981-1999


Created on Wednesday, May 26, 2004 at 7:25:54 AM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 1
Terminal Server Mode: Not supported

###############################################################

Computer Group Policy results for:



Domain Name:
Domain Type: Windows NT v4


The computer is a member of the following security groups:


###############################################################

Failed to open key with 2


User: [JOHNMIKE\Mike], is a member of:

BUILTIN\Administrators
\Everyone

»»ACLs list:
C:\junk BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
JOHNMIKE\Mike:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


C:\junk\wdmb.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
JOHNMIKE\Mike:F
BUILTIN\Users:R


»»Contents of file(s) in 'junk' folder:
wdmb.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 wdmb.dll

57344 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junk\wdmb.dll>

Size-32 : 0000E000

CRC-32 : D5C9FB2E

GHash-32-5 : 26115E2D

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9




Wed May 26 07:25:54 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 10:49 PM

Finally, some progress! :ph34r:

Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junk\*.dll moved file
*Create zipped copy in the same folder: "junk.zip"
*Open your email client with given address for submission!

--Drag the 'junk.zip' and submit the
attchachment to the specified address, ! , thanks ;)

When done, Delete the "junk.zip"
as well as the "junk" folder in
C:\

To fix all other related problems:
Scan and fix with *CWSHredder.
Same with fully updated Ad-Aware6! Select
your drive and fix all problems!
All links are in the FAQs.

When done,
--Re-run Find-All.cmd and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 May 2004 - 02:58 PM

Thank you for your help free. I think WE finally got rid of it. LOL I think it was much easier just going to the registry the old way. By the way, Adware6 finally got rid of those pop ups. Thanks for you help.

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--


Thu May 27 12:35:04 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (18A3:F328) - FS:NTFS clusters:4k
Total: 79 990 845 440 [74G] - Free: 3 349 946 368 [3.1G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
12:35am up 1 day, 5:21

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
500 smss.exe
564 CSRSS.EXE Title:
588 winlogon.exe Title: NetDDE Agent
632 SERVICES.EXE Svcs: Eventlog,PlugPlay
644 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
816 SVCHOST.EXE Svcs: RpcSs
872 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,
eclogon,SENS,SharedAccess,ShellHWDetection,srservice,TapiSrv,TermService,Themes,
rkWks,upload
1036 SVCHOST.EXE Svcs: Dnscache
1060 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1196 SPOOLSV.EXE Svcs: Spooler
1512 alg.exe Svcs: ALG
1524 ccEvtMgr.exe Svcs: ccEvtMgr
1544 CTSVCCDA.EXE Svcs: Creative Service for CDROM Access
1580 Navapsvc.exe Svcs: navapsvc
1616 NISUM.EXE Svcs: NISUM
1720 nvsvc32.exe Svcs: NVSvc
1812 snmp.exe Svcs: SNMP
1852 SVCHOST.EXE Svcs: stisvc
408 CCPXYSVC.EXE Svcs: ccPxySvc
1452 devldr32.exe Title: DEVLDR
1492 LVComS.exe Title: LVComSWnd
1696 ccApp.exe Title:
2836 msmsgs.exe Title: MSBLNetConn
3232 mirc.exe Title: mIRC
1848 explorer.exe Title: Program Manager
2176 iexplore.exe Title: Avant Browser
2300 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2756 ntvdm.exe
2472 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs -Size -Value"="C:\\WINDOWS\\System32\\wdmb.dll"
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Group settings:
Microsoft ® Windows ® 2000 Operating System Group Policy Result tool
Copyright © Microsoft Corp. 1981-1999


Created on Thursday, May 27, 2004 at 12:35:06 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.1.2600.Service Pack 1
Terminal Server Mode: Not supported

###############################################################

Computer Group Policy results for:



Domain Name:
Domain Type: Windows NT v4


The computer is a member of the following security groups:


###############################################################

Failed to open key with 2


User: [JOHNMIKE\Mike], is a member of:

BUILTIN\Administrators
\Everyone

»»ACLs list:
C:\junk BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
JOHNMIKE\Mike:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Thu May 27 12:35:07 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~1\MIKE~1.JOH\MYDOCU~1\clip\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#20 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 11:57 PM

Yup, all's well! ;)

Because of what you did before you have a trail left...
Open regedit to the same 'Windows' key and delete this:
"AppInit_DLLs -Size -Value"="C:\\WINDOWS\\System32\\wdmb.dll"

The other (empty) 'AppInit_DLLs' value can be left alone!

Well done!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#21 arion

arion

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 May 2004 - 12:19 AM

I have to say my internet explorer is running faster. I also noticed that im using less juice. lol Thanks for your help free.

#22 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 08:59 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button