• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
hectorv418

about: blank PLease advise WIN2K

8 posts in this topic

Dont know what else to do, ive think ive domne it all...

Heres log file

 

 

Logfile of HijackThis v1.97.7

Scan saved at 3:30:23 PM, on 6/30/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\OfficeScan NT\ntrtscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\OfficeScan NT\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\OfficeScan NT\ofcdog.exe

C:\OfficeScan NT\pccntmon.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\paradmin\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\paradmin\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll

O2 - BHO: (no name) - {AAE3010A-D539-4DED-8C3E-2C0EF332D9AE} - C:\WINNT\system32\ffdic.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow

O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?

O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: Domain = schonfeld.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: NameServer = 10.180.1.254,204.52.175.202

Share this post


Link to post
Share on other sites

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

 

Run the "!LOG!.bat" file, wait for the final output (log.txt)

post the results....

Share this post


Link to post
Share on other sites

here it is

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows 2000 [Version 5.00.2195]

The type of the file system is FAT32.

C: is not dirty.

 

Wed 06/30/2004

3:13pm up 0 days, 0:15

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group PARAMUS\Domain Users.

User is a member of group \Everyone.

User is a member of group BUILTIN\Users.

User is a member of group BUILTIN\Administrators.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

User is a member of group \LOCAL.

User is a member of group PARAMUS\Domain Admins.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINNT\

notepad.exe Thu Jun 19 2003 9:07:10p A.... 51,200 50.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 51,200 bytes 50.00 K

 

C:\WINNT\SYSTEM32\

notepad.exe Thu Jun 19 2003 9:03:18p A.... 51,200 50.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 51,200 bytes 50.00 K

 

C:\WINNT\SYSTEM32\DLLCACHE\

notepad.exe Thu Jun 19 2003 9:02:04p A.... 51,200 50.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 51,200 bytes 50.00 K

--a-- W32i APP ENU 5.0.2140.1 shp 51,200 06-19-2003 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows ® 2000 Operating System

ProductVersion 5.00.2140.1

FileVersion 5.00.2140.1

LegalCopyright Copyright © Microsoft Corp. 1981-1999

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050000:085c0001 (5.0:2140.1)

ProdVer: 00050000:085c0001 (5.0:2140.1)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

NA

 

Auditing:

NA

 

Owner: \Everyone

 

Primary Group: \Everyone

 

 

 

»»»»»»Backups created...»»»»»»

3:15pm up 0 days, 0:17

Wed 06/30/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-30-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 06-30-2004 winkey.reg

 

»»Performing 16bit string scan....

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

f a user that can launch a component grouped under the associated Win32

DCOMApplication

Windows

DeviceNotSelectedTimeout

GDIProcessHandleQuota

Spooler

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

ProviderRegistration

ObjectProviderRegistration

abstract

InteractionType

sint32

Values

PushVerify

QuerySupportLevels

string

ValueMap

WQL:UnarySelect

WQL:References

WQL:Associators

WQL:V1ProviderDefined

SupportsDelete

boolean

SupportsEnumeration

boolean

SupportsGet

boolean

SupportsPut

boolean

ObjectProviderRegistration

ClassProviderRegistration

ReferencedSetQueries

string

ResultSetQueries

string

UnsupportedQueries

string

ObjectProviderRegistration

InstanceProviderRegistration

ProviderRegistration

PropertyProviderRegistration

SupportsGet

boolean

SupportsPut

boolean

ProviderRegistration

 

**File C:\FINDnFIX\WIN.TXT

Share this post


Link to post
Share on other sites

Hmmmm :scratchhead:

 

Based on your results I have to wonder.

You don't seem to have this variant, and you are missing the "AppInit_DLLs"

value from the Windows key.

 

In addition, your registry security is all messed up on the key.

The fact that the "everyone" group is added, makes be believe you renamed the key yourself w/o backing it up, first!

 

Incidentally, the original setting on this key should be as follows:

 

Microsoft Windows 2000 [Version 5.00.2195]

The type of the file system is FAT32.

 

»»Security settings for 'Windows' key:

 

Access Control List for Registry

key hklm\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Windows:

 

(NI)    ALLOW  Read        BUILTIN\Users

(IO)    ALLOW  Read        BUILTIN\Users

(NI)    ALLOW  Read        BUILTIN\Power Users

(IO)    ALLOW  Read        BUILTIN\Power Users

(NI)    ALLOW  Full access  BUILTIN\Administrators

(IO)    ALLOW  Full access  BUILTIN\Administrators

(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM

(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM

(NI)    ALLOW  Full access  BUILTIN\Administrators

(IO)    ALLOW  Full access  CREATOR OWNER

 

Effective permissions for Registry key hklm\

SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Windows:

 

Read          BUILTIN\Users

Read          BUILTIN\Power Users

Full access    BUILTIN\Administrators

Full access    NT AUTHORITY\SYSTEM

 

Have you followed any other

removal steps on your own, so far? Any removal tools?

Share this post


Link to post
Share on other sites

no just ran adaware .....and deleted keys in registry that it pointed to

but it kept coming back... am i screwed....

am i in fdisk territory???

Share this post


Link to post
Share on other sites

im heading out and wont back till tommorow morning ill follow up first thing tommorow so, please post more info....on a possible resolution for this issue

Share this post


Link to post
Share on other sites

Not really...

 

But I can't pinpoint the problem on your log.

 

Do this for now:

Find this file:

C:\FINDnFIX\WIN.TXT

Copy it and attach into your next reply!

 

Open the C:\FINDnFIX\Files2\ Subfolder.

DoubleClick on the file ->un.exe

Then DoubleClick on this file:

->last.reg, answer 'yes' to the prompt!

 

Both should remove most bad entries.

 

Restart your computer and delete the

entire FINDnFIX folder from C:\

And 'junkxxx' empty folder created.

 

Restart your computer in safe mode, find

and delete both of these files, if exist:

C:\WINNT\dpe.dll<

C:\WINNT\system32\ffdic.dll<

 

Re-run hijackthis and fix check any of the remains, if exist:

 

*All R1/R0 lines

*O2 - BHO: (no name) -

{834261E1-DD97-4177-853B-C907E5D5BD6E} -

C:\WINNT\dpe.dll

*O2 - BHO: (no name) -

{AAE3010A-D539-4DED-8C3E-2C0EF332D9AE}

- C:\WINNT\system32\ffdic.dll

*All O13 - lines (2)

 

Re-run once again -In particular,

Latest CWShredder.exe and fully updated Ad-Aware!

 

In order to restore your security on the key,

you can follow the steps on this page:

In this section:

 

How can I synchronize with Windows 2000 default security settings?

However, that's not a critical issue.

 

When done with the above, post new hijackthis log as well!

Share this post


Link to post
Share on other sites

I think im good Ill keep you posted. Thank you very much....

 

here's the log

 

Logfile of HijackThis v1.97.7

Scan saved at 9:09:15 AM, on 7/1/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\OfficeScan NT\ntrtscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\OfficeScan NT\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\OfficeScan NT\ofcdog.exe

C:\WINNT\Explorer.EXE

C:\OfficeScan NT\pccntmon.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\paradmin\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briefing.com/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: Domain = schonfeld.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3BCF9134-D9B4-4CB9-80CF-8D81D3332E75}: NameServer = 10.180.1.254,204.52.175.202

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0