Jump to content


Photo

about:blank issues too


  • This topic is locked This topic is locked
12 replies to this topic

#1 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 10:36 PM

I have run intothe same problem ans many of the current members witht this stupid "about:blank". You guys have help alot of people and any assistance you can give will be helpful.

I read that I should not post anything until asked so...

Centus

#2 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 10:48 PM

Sorry...here is my log....

Logfile of HijackThis v1.97.7
Scan saved at 10:44:29 PM, on 5/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CYRUSA~1\LOCALS~1\Temp\Rar$EX00.919\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A52B1720-B69E-45BE-9084-B50EA1A5747C} - C:\WINDOWS\System32\olmjao.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#3 ArchAng3l

ArchAng3l

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 May 2004 - 10:53 PM

really wierd looking log, i'm new, but i think the following should be removed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\olmjao.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {A52B1720-B69E-45BE-9084-B50EA1A5747C} - C:\WINDOWS\System32\olmjao.dll

remeber, i'm not really sure XD

Edited by ArchAng3l, 20 May 2004 - 10:57 PM.


#4 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 May 2004 - 12:17 AM

I have run HJT and loged off the user but it has not worked. It keeps coming back!

#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 12:22 AM

Download:
-'Find-All.zip'

http://www10.brinkst...last/pvtool.htm

Download, install and run:
Registrar Lite

First,
Run reglite, copy and paste this key to the
address bar, hit 'go' tab:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

DoubleClick on 'AppInit_Dlls' value on the
right side, copy and paste here the following fields:
-Size
-Value

Next, *UNzip the 'Find-All' folder.
DoubleClick on the 'Find-All.bat' file inside.
Follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 May 2004 - 01:41 AM

Reglite Log:

Size - 32
Value - C:\WINDOWS\System32\comknnk.dll

**********************************************************

Find All Log:

--==***@@@ 'FIND-ALL' VERSION 6.2 -5/22 @@@***==--

*System Info:

Microsoft Windows 2000 [Version 5.00.2195]


*IE version and Service packs:
*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:

*M$Java version:


*PC uptime:

*Locked or 'Suspect' file(s) found...
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
'Xfind' is not recognized as an internal or external command,
operable program or batch file.


*Tasks (services):
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{310FF0BD-C9BE-42BA-8207-A0C821C7F3C7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D8D6796C-45A4-40A8-AABE-50E622D5A7C8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D8D6796C-45A4-40A8-AABE-50E622D5A7C8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

*ACLs list for *.* in 'junk' folder: (if exist)
*Contents of file(s) in 'junk' folder:
File not found - win*
File not found - C:\findall*.hiv


#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 04:19 AM

No idea how I overlooked this post. page didn't refresh.

FYI, your Find-All log is useless.
Either you didn't unzip it or it is running from %temp%.

If you're still around, latest 'Find-All' is here:
http://freeatlast.10...om/Find-All.zip

Download again, unzip it properly to normal patch,
Run "Find-All.CMD", follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 May 2004 - 09:24 PM

Hope I did this right this time. When I "ran it" the first time I got an error stating that it could not read the file. Uless i missed something there were no real instructions to follow other than to click here and view log.

--==***@@@ 'FIND-ALL' VERSION 8 -5/26 @@@***==--


Tue May 25 21:24:34 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "CENTUS" (0E23:1DF9) - FS:FAT clusters:32k
Total: 80 004 153 344 [75G] - Free: 70 623 690 752 [66G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
9:24pm up 0 days, 2:16

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMKNNK.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMKNNK.DLL +++ File read error


»»Tasks (services):
0 System Process
8 System
132 smss.exe
156 csrss.exe Title:
176 winlogon.exe Title: NetDDE Agent
212 services.exe Svcs: Dhcp,dmserver,Dnscache,Eventlog,LmHosts,PlugPlay,ProtectedStorage,seclogon,TrkWk
,Wmi
224 lsass.exe Svcs: SamSs
424 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
488 DefWatch.exe Svcs: DefWatch
512 svchost.exe Svcs: EventSystem,Iprip,Netman,NtmsSvc,RasMan,SENS,TapiSrv
540 Rtvscan.exe Svcs: Norton AntiVirus Server
576 savroam.exe Svcs: SAVRoam
648 MSTask.exe Svcs: Schedule
704 tcpsvcs.exe Svcs: SimpTcp
764 vsmon.exe Svcs: vsmon
848 WinMgmt.exe Svcs: WinMgmt
864 svchost.exe Svcs: wuauserv
888 Explorer.EXE Title: Program Manager
1168 vptray.exe Title: Symantec AntiVirus Corporate Edition
900 qttask.exe Title: QTPlayer Tray Icon
624 IEXPLORE.EXE Title: SWI Forums -> about:blank issues too - Microsoft Internet Explorer
1380 cmd.exe Title: C:\WINDOWS\system32\cmd.exe
472 ntvdm.exe
752 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{310FF0BD-C9BE-42BA-8207-A0C821C7F3C7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D8D6796C-45A4-40A8-AABE-50E622D5A7C8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D8D6796C-45A4-40A8-AABE-50E622D5A7C8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Group/user settings:


User: [CENTUS\Cyrus Andrews], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group CENTUS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»ACLs list:
C:\junk No permissions are set. All user have full control.
ERROR: There are no more files.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Tue May 25 21:24:38 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\PROGRA~1\FindAll\Find-All\winBackup.hiv
A C:\PROGRA~1\FindAll\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Edited by Centus, 25 May 2004 - 09:51 PM.


#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 05:40 AM

Yes, you did it right this time! ;)

Next,

Your registry was set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ COMKNNK.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junk folder.
(It was created during first 'Find-All' run)
'ok' it.

--Re-run Find-All.cmd and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 26 May 2004 - 07:06 PM

Thanks for you help! How does this look...

--==***@@@ 'FIND-ALL' VERSION 8 -5/26 @@@***==--


Wed May 26 19:04:03 2004 -- ++Results:
»»System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "CENTUS" (0E23:1DF9) - FS:FAT clusters:32k
Total: 80 004 153 344 [75G] - Free: 70 616 481 792 [66G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


»»PC uptime:
7:04pm up 0 days, 0:05

»»Locked or 'Suspect' file(s) found...
* result\\?\C:\junk\COMKNNK.DLL


»»Tasks (services):
0 System Process
8 System
132 smss.exe
156 csrss.exe Title:
176 winlogon.exe Title: NetDDE Agent
204 services.exe Svcs: Dhcp,dmserver,Dnscache,Eventlog,LmHosts,PlugPlay,ProtectedStorage,seclogon,TrkWk
,Wmi
216 lsass.exe Svcs: SamSs
404 svchost.exe Svcs: RpcSs
432 spoolsv.exe Svcs: Spooler
460 DefWatch.exe Svcs: DefWatch
480 svchost.exe Svcs: EventSystem,Iprip,Netman,NtmsSvc,RasMan,SENS,TapiSrv
500 Rtvscan.exe Svcs: Norton AntiVirus Server
564 savroam.exe Svcs: SAVRoam
572 MSTask.exe Svcs: Schedule
616 tcpsvcs.exe Svcs: SimpTcp
664 vsmon.exe Svcs: vsmon
716 WinMgmt.exe Svcs: WinMgmt
792 svchost.exe Svcs: wuauserv
1064 Explorer.EXE Title: Program Manager
1160 vptray.exe Title: Symantec AntiVirus Corporate Edition
1012 qttask.exe Title: QTPlayer Tray Icon
1340 cmd.exe Title: C:\WINDOWS\system32\cmd.exe
580 ntvdm.exe
1140 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{310FF0BD-C9BE-42BA-8207-A0C821C7F3C7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{D8D6796C-45A4-40A8-AABE-50E622D5A7C8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{D8D6796C-45A4-40A8-AABE-50E622D5A7C8}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Group/user settings:


User: [CENTUS\Cyrus Andrews], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group CENTUS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»ACLs list:
C:\junk No permissions are set. All user have full control.
C:\junk\comknnk.dll No permissions are set. All user have full control.

»»Contents of file(s) in 'junk' folder:
comknnk.dll

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

c185b36f9969d3a6d2122ba7cbc02249 comknnk.dll

57344 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:
File: <C:\junk\comknnk.dll>

CRC-32 : D5C9FB2E

GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488

E89EDB26 3B623462

HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595

AAEF452A 3CD2FAB3

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436

199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135

C8BECB6F 2DB242DA 5945C134 A7E3D9B9




Wed May 26 19:04:04 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\PROGRA~1\FindAll\Find-All\winBackup.hiv
A C:\PROGRA~1\FindAll\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 10:23 PM

Good!
Your drive is FAT32 formatted. Some of these
steps pertain to NTFS only, but they
work regardless of file system.

Last step(s):

Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junk\*.dll moved file
*Create zipped copy in the same folder: "junk.zip"
*Open your email client with given addresses for submission!

--Drag the 'junk.zip' and submit the
attchachment to the specified address, ! , thanks ;)

When done, Delete the "junk.zip"
as well as the "junk" folder in in C:\
And the 'Find-All' folder(s). no longer needed!

The steps above only got rid of the 'hidden' hijacker.

To fix everything else, you need to run
*CWShredder and let it fix all it finds.
Rescan with fully updated *Ad-Aware6!
All links are in the FAQs.

Good luck!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 Centus

Centus

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 28 May 2004 - 08:05 AM

No wonder they call you Freeatlast...thanks for all your help. I have been running great for the pass couple of days now. What do you recommend to prevent this from happening again? I looked over some of the articles and tried one of the browers but it cold not connect.

#13 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 09:05 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Protection:

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://www.wildersse...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button