Jump to content


Photo

About blank help me !


  • Please log in to reply
6 replies to this topic

#1 MarcOuwendijk

MarcOuwendijk

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 July 2004 - 02:39 PM

Hi I have tried to remove most of this and downed a spyware shield that keeps the majority from coming back...

However i got the idea the .dll is still here since the about blank keeps returning ( the spyware prog easily removes and keeps some parts permanently at bay..some not... Please help me in removing this pest:

Hijack LoG

Logfile of HijackThis v1.97.7
Scan saved at 21:28:13, on 4-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Marc Ouwendijk\Mijn documenten\Mijn ontvangen bestanden\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8169.5149189815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{844A4430-7634-423F-9E59-F0D9DD353054}: NameServer = 62.45.45.45 62.45.46.46

FindnFIX REPORT:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [versie 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q824145-Q330994-Q820223-Q832894-Q837009-Q831167
Het type bestandssysteem is NTFS.
C: bevat geen fouten.

zo 04-07-2004
9:34pm up 0 days, 0:23

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
HLP.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
hlp.dll Sun 27 Jun 2004 13:38:58 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL


»»»»»(***5***)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... HLP.DLL .....57344 27.06.2004
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access PRIVA-8H1FN689R\Marc Ouwendijk
(ID-IO) ALLOW Full access MAKER EIGENAAR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read INGEBOUWD\Gebruikers
Full access INGEBOUWD\Administrators
Full access NT AUTHORITY\SYSTEM
Full access PRIVA-8H1FN689R\Marc Ouwendijk


»»Member of...: (Admin logon required!)
User is a member of group PRIVA-8H1FN689R\Geen.
User is a member of group \Iedereen.
User is a member of group INGEBOUWD\Administrators.
User is a member of group INGEBOUWD\Gebruikers.
User is a member of group \LOKAAL.
User is a member of group NT AUTHORITY\INTERACTIEF.
User is a member of group NT AUTHORITY\Geverifieerde gebruikers.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

De opgegeven service is geen ge‹nstalleerde service.

[SC] GetServiceDisplayName FAILED 1060:

De opgegeven service is geen ge‹nstalleerde service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Tue 8 Apr 2003 14:00:00 A.... 67.072 65,50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 67.072 bytes 65,50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue 8 Apr 2003 14:00:00 A.... 67.072 65,50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 67.072 bytes 65,50 K
--a-- W32i APP NLD 5.1.2600.0 shp 67,072 04-08-2003 notepad.exe
Language 0x0413 (Nederlands (Nederland))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Kladblok
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Besturingssysteem Microsoft® Windows®
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. Alle rechten voorbehouden.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x PRIVA-8H1FN689R\Marc Ouwendijk
Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR
Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

Owner: PRIVA-8H1FN689R\Marc Ouwendijk

Primary Group: PRIVA-8H1FN689R\Geen



»»»»»»Backups created...»»»»»»
9:34pm up 0 days, 0:23
zo 04-07-2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-04-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-04-2004 winkey.reg

»»Performing 16bit string scan....
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 f O h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 | . vk Spooler2
00001210: y e s ! vk swapdisk h
00001250: X vk TransmissionRetryTimeout vk
00001290: ' USERProcessHandleQuota h X
000012D0: vk 8 AppInit_DLLs Tn C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ h l p . d l l Wait
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLs
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""


**File C:\FINDnFIX\WIN.TXT
regf




Olease please help ! Thanks in advance !

Edited by MarcOuwendijk, 04 July 2004 - 02:40 PM.


#2 MarcOuwendijk

MarcOuwendijk

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 July 2004 - 02:45 PM

Also i lost my notepad and have a different version running on which i cant open findnfix moveit.bat....

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 July 2004 - 02:53 PM

Leave the notepad issue for last, and follow these steps:


*Get ready to restart:
- Go to C:\FINDnFIX\Keys1 Subfolder!
-DoubleClick on the "FIX.bat" file in that folder.
-Wait for the popup -Alert to restart your computer in 15 seconds.

On restart, navigate to System32 folder:
-Locate and select the "HLP.DLL" file (as it will be visible)
And use the folder's top menu>edit>
move to folder...
Select the C:\junkxxx as destination and move
the "HLP.DLL" there.
--------------------------------------------------------------

When done, go back to-
C:\FINDnFIX\ main folder,
DoubleClick on the "RESTORE.bat" file, post the output! (log1.txt)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 MarcOuwendijk

MarcOuwendijk

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 July 2004 - 03:09 PM

I may have made a mistake...before your reply i looked up hpl.dll cause someone i know suggested it and was able to locate and delete it manually.... (i did use the fixbat before though)

i tried your instructions too but then the file was gone ofcourse and no outcome come...same with the restore...

the hpldll is not there anymore... and to be sure i redid the logpart (see it below the latest phrase) ...it was not mentioned anymore (where int he first log the hpdll was mentioned now it said no files found)

Did the manual delete turn out right in the end or did i screw up and am i in for more trouble ?? Please reply ..thank youso much in advance

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [versie 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q824145-Q330994-Q820223-Q832894-Q837009-Q831167
Het type bestandssysteem is NTFS.
C: bevat geen fouten.

zo 04-07-2004
10:05pm up 0 days, 0:05

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



»»»»»(***5***)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read INGEBOUWD\Gebruikers
Full access INGEBOUWD\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group PRIVA-8H1FN689R\Geen.
User is a member of group \Iedereen.
User is a member of group INGEBOUWD\Administrators.
User is a member of group INGEBOUWD\Gebruikers.
User is a member of group \LOKAAL.
User is a member of group NT AUTHORITY\INTERACTIEF.
User is a member of group NT AUTHORITY\Geverifieerde gebruikers.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

De opgegeven service is geen ge‹nstalleerde service.

[SC] GetServiceDisplayName FAILED 1060:

De opgegeven service is geen ge‹nstalleerde service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Tue 8 Apr 2003 14:00:00 A.... 67.072 65,50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 67.072 bytes 65,50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue 8 Apr 2003 14:00:00 A.... 67.072 65,50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 67.072 bytes 65,50 K
--a-- W32i APP NLD 5.1.2600.0 shp 67,072 04-08-2003 notepad.exe
Language 0x0413 (Nederlands (Nederland))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Kladblok
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Besturingssysteem Microsoft® Windows®
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. Alle rechten voorbehouden.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x PRIVA-8H1FN689R\Marc Ouwendijk
Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR
Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers
Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

Owner: PRIVA-8H1FN689R\Marc Ouwendijk

Primary Group: PRIVA-8H1FN689R\Geen



»»»»»»Backups created...»»»»»»
10:05pm up 0 days, 0:06
zo 04-07-2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-04-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-04-2004 winkey.reg

»»Performing 16bit string scan....
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 f O h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 | . vk Spooler2
00001210: y e s ! vk swapdisk h
00001250: X vk TransmissionRetryTimeout vk
00001290: ' USERProcessHandleQuota h X
000012D0: vk 8 AppInit_DLLs Tn C : \ W I N
00001310:D O W S \ S y s t e m 3 2 \ h l p . d l l Wait
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
AppInit_DLLs
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""


**File C:\FINDnFIX\WIN.TXT
regf

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 July 2004 - 03:41 PM

Well, I have no idea what you did exactly, following other steps on your own
but according to your set of logs, the offending file was:
-HLP.DLL not -"hpldll"

Hopefully you deleted the right file... ;)

Let me mention that the 'Restore' file has several purposes:
It scans your System dir as well as the moved file, and at
the same time it restores your registry hiv and security to default.

Some commands may no longer execute correctly if the entire
set of steps
is not followed.

Your log shows no infection, but the last part can't be run, as you deleted the file.
Since you are running non-English version of Windows, I can't make up all the specs on your log!

Same goes for your notepad issue.
Find this (hidden) folder:
C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue 8 Apr 2003

And replace your non-working notepads, whether in
System32 and/or Windows.

At this point you are most likely done.
Delete the entire FINDnFIX folder(s) from C:, and empty dir 'junkxxx' that was recreated.
Run any and all removal tools, and hopfully you're all set! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 MarcOuwendijk

MarcOuwendijk

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 05 July 2004 - 10:45 AM

Thanks man ! :thumbsup: i deleted the right one indeed just mistyped it...i ran all tools...offline first and then online once more so i hope it works....if not i'll post again and hope you (or any other) can be of help againt hen...

for now..fingers crossed re-do the notepad and hope it is fixed...

Thanks once again for all the help

#7 MarcOuwendijk

MarcOuwendijk

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2004 - 02:11 PM

Thanks it's still away but today i got an error saying kernel check fault...and it caused my pc to reboot... can that be because it is looking for the file i succesfully deleted ? If so do i need to delete another part too or reper a certain kernel piece ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button