Jump to content


Photo

Arrg, about:blank


  • This topic is locked This topic is locked
15 replies to this topic

#1 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 03:50 AM

Iv ran CWShredder and althought it says it removes CWS.Searchx after each reboot it loads up again. There for it must be in the startup somewhere. Unfortiantly I do not know how to remove it myself so I come to you in seek of help! Below is my HiJackThis log.
*Note, I've updated windows, downloaded and applied ie-spyad still nothing*

Logfile of HijackThis v1.97.7
Scan saved at 3:48:44 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Lineage II\system\L2.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\cWS\CWShredder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.filep...DC_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8051.8777314815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 04:49 AM

I also tried using the most updated Ad-Aware and Spybot S&D, neither helped any :(

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 05:10 AM

Download: "Find-All.zip" from Here
*UNzip the 'Find-All' folder, DoubleClick on the Find-All.bat file inside,
follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 05:26 AM

Log for Find-All

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==-- 
 

Fri May 21 05:24:36 2004 -- Results: 
*System Info: 

Microsoft Windows XP [Version 5.1.2600]
C: "" (A856:80F1) - FS:NTFS clusters:4k
Total: 60 011 610 112 [56G] - Free: 37 255 888 896 [35G]
 
 
 *IE version and Service packs: 
             6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion	REG_SZ;SP1;Q832894;Q330994;Q837009;Q831167;

 *Google Toolbar version and Attributes: 
 Defaults: "A";"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google
 
 *UserAgent: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 
 *Wmplayer version: 
                9.0.0.2980  C:\Program Files\Windows Media Player\wmplayer.exe
                6.4.9.1125  C:\Program Files\Windows Media Player\mplayer2.exe
 
 *M$Java version: 
 
 
 *PC uptime: 
  5:24am  up 0 days,  2:37
 
*Locked or 'Suspect' file(s) found... 
\\?\C:\WINDOWS\System32\D3DI.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DI.DLL +++ File read error
 
 
 *Tasks (services): 
   0 System Process  
   4 System          
 644 smss.exe        
 692 csrss.exe       Title: 
 728 winlogon.exe    Title: NetDDE Agent
 800 services.exe    Svcs:  Eventlog,PlugPlay
 812 lsass.exe       Svcs:  PolicyAgent,ProtectedStorage,SamSs
1048 svchost.exe     Svcs:  RpcSs
1168 svchost.exe     Svcs:  AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching
ompatibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,s
clogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,wuauserv
1340 svchost.exe     Svcs:  Dnscache
1376 svchost.exe     Svcs:  LmHosts,RemoteRegistry,SSDPSRV,WebClient
1620 spoolsv.exe     Svcs:  Spooler
1776 nvsvc32.exe     Svcs:  NVSvc
1824 SMAgent.exe     Svcs:  SoundMAX Agent Service (default)
 524 explorer.exe    Title: Program Manager
 860 SMax4PNP.exe    Title: SMax4PNP
 776 SMax4.exe       Title: SoundMax4
1068 rundll32.exe    Title: MediaCenter
1224 jusched.exe     Title: OleMainThreadWndName
1812 iexplore.exe    Title: Avant Browser
1520 CWShredder.exe  Title: CSWhredder
1060 msmsgs.exe      Title: 
1516 HijackThis.exe  Title: HijackThis
 500 notepad.exe     Title: hijackthis.log - Notepad
1404 cmd.exe         Title: C:\WINDOWS\System32\cmd.exe
 208 ntvdm.exe       
1152 tlist.exe       
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4853E31D-4B02-4EA4-881F-83DF68943755}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{AEAF98EA-4ED8-4EB9-B818-F447679C1EEA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{AEAF98EA-4ED8-4EB9-B818-F447679C1EEA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key: 
 

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls	REG_SZ	


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read       	 BUILTIN\Users
(IO)    ALLOW  Read       	 BUILTIN\Users
(NI)    ALLOW  Read       	 BUILTIN\Power Users
(IO)    ALLOW  Read       	 BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read         	 BUILTIN\Users
Read         	 BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


 *ACLs list for *.* in 'junk' folder: (if exist) 

Error: Cannot open file [C:\junk\*.*]

Fri May 21 05:24:40 2004 -- *Find-All 'Windows'.hiv list: 
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\winBackup.hiv
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\windows.txt
A          C:\FindallwinBackup.hiv



#5 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 05:42 AM

any ideas?

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 06:01 AM

Yes!
We have the information!

Next, on the same page (Find-All) Download
'Salamand.zip' as you will need it later.

Download and install:
Registrar Lite: http://www.resplendence.com/reglite

Run reglite, copy and paste this key to the
address bar, hit 'go' tab:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-DoubleClick "AppInit_DLLs" value on the right pane,
and clear the data value:
C:\WINDOWS\System32\D3DI.DLL-< delete this line ,
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

-Search for this file:
C:\WINDOWS\System32\D3DI.DLL<
Try to delete it, expect to get access denied!

-Run 'Find-All.bat' again and post the log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 06:13 AM

Access denied to delete d3di.dll like you expected.
Find-All log below

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==-- 
 

Fri May 21 06:11:50 2004 -- Results: 
*System Info: 

Microsoft Windows XP [Version 5.1.2600]
C: "" (A856:80F1) - FS:NTFS clusters:4k
Total: 60 011 610 112 [56G] - Free: 37 244 923 904 [35G]
 
 
 *IE version and Service packs: 
             6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion	REG_SZ;SP1;Q832894;Q330994;Q837009;Q831167;

 *Google Toolbar version and Attributes: 
 Defaults: "A";"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google
 
 *UserAgent: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 
 *Wmplayer version: 
                9.0.0.2980  C:\Program Files\Windows Media Player\wmplayer.exe
                6.4.9.1125  C:\Program Files\Windows Media Player\mplayer2.exe
 
 *M$Java version: 
 
 
 *PC uptime: 
  6:11am  up 0 days,  0:02
 
*Locked or 'Suspect' file(s) found... 
\\?\C:\WINDOWS\System32\D3DI.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DI.DLL +++ File read error
 
 
 *Tasks (services): 
   0 System Process  
   4 System          
 628 smss.exe        
 676 csrss.exe       Title: 
 704 winlogon.exe    Title: NetDDE Agent
 748 services.exe    Svcs:  Eventlog,PlugPlay
 760 lsass.exe       Svcs:  PolicyAgent,ProtectedStorage,SamSs
 944 svchost.exe     Svcs:  RpcSs
1044 svchost.exe     Svcs:  AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching
ompatibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,s
clogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,wuauserv
1196 svchost.exe     Svcs:  Dnscache
1228 svchost.exe     Svcs:  LmHosts,RemoteRegistry,SSDPSRV,WebClient
1448 spoolsv.exe     Svcs:  Spooler
1756 explorer.exe    Title: Program Manager
1968 nvsvc32.exe     Svcs:  NVSvc
2012 SMAgent.exe     Svcs:  SoundMAX Agent Service (default)
 248 SMax4PNP.exe    Title: SMax4PNP
 300 SMax4.exe       Title: SoundMax4
 344 rundll32.exe    Title: MediaCenter
 404 jusched.exe     Title: OleMainThreadWndName
2008 iexplore.exe    Title: Avant Browser
1360 cmd.exe         Title: C:\WINDOWS\System32\cmd.exe
 888 ntvdm.exe       
1696 tlist.exe       
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4853E31D-4B02-4EA4-881F-83DF68943755}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{AEAF98EA-4ED8-4EB9-B818-F447679C1EEA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{AEAF98EA-4ED8-4EB9-B818-F447679C1EEA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key: 
 

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls	REG_SZ	


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-IO) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access  CAPSULE\Gryphon
(ID-IO) ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read         	 BUILTIN\Users
QWCEN-DS--      BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM
Full access    CAPSULE\Gryphon


 *ACLs list for *.* in 'junk' folder: (if exist) 

Error: Cannot open file [C:\junk\*.*]

Fri May 21 06:11:51 2004 -- *Find-All 'Windows'.hiv list: 
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\winBackup.hiv
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\windows.txt
A          C:\FindallwinBackup.hiv



#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 07:33 AM

Good progress!
Next step, we are going to move the file to
another location and reset it's permissions!

-Unzip the salamand.zip folder, run salamand.exe
Follow these menu options exactly as described:

*Top menu "left">Change Drive>Click C:
*"Right">Change Drive>Click C
*"Commands">Create Directory...>Paste>junk>ok.
*"options">check "Command Line"
*"Commands">Change Directory>paste:
C:\WINDOWS\System32 . 'ok'
*"Commands">Find Files..>edit:
*In 'search for' paste: D3DI.DLL
uncheck 'include subdirectories'
hit 'ok' and 'start'
*On file found hit -> 'focus'
*Top menu "files"->move/rename, type:
C:\junk
hit 'ok' .

Inside the 'Find-All' folder should be 'Final.bat' file.
Double click on it once, as it should clean/restore the key
(though nothing would appear to happen)

Run the Find-All.bat again and post the scan results.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 07:41 AM

I moved the file but, there is no final.bat in the Find-All folder. I tried redownloading it also, doesnt appear to be there. Am I missing something?

*edit* list of the files in Find-All folder:

FIND-ALL.BAT
getver.exe
msgbox.exe
now.exe
output.txt
reg.exe
RegDACL.exe
RegFix.reg
SHOWACLS.EXE
tlist.exe
UPTIME.EXE
winBackup.hiv
windows.txt
XFIND.exe
Xfix.bat
zdu.exe

Edited by roffles, 21 May 2004 - 07:46 AM.


#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 07:49 AM

Thanks, I uploaded/changed since.
Just click on the "Xfix.bat". Thats it!

Post another Find-All.bat run!

Edited by freeatlast, 21 May 2004 - 07:49 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 07:52 AM

new log

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==-- 
 

Fri May 21 07:51:44 2004 -- Results: 
*System Info: 

Microsoft Windows XP [Version 5.1.2600]
C: "" (A856:80F1) - FS:NTFS clusters:4k
Total: 60 011 610 112 [56G] - Free: 36 860 223 488 [34G]
 
 
 *IE version and Service packs: 
             6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion	REG_SZ;SP1;Q832894;Q330994;Q837009;Q831167;

 *Google Toolbar version and Attributes: 
 Defaults: "A";"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google
 
 *UserAgent: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 
 *Wmplayer version: 
                9.0.0.2980  C:\Program Files\Windows Media Player\wmplayer.exe
                6.4.9.1125  C:\Program Files\Windows Media Player\mplayer2.exe
 
 *M$Java version: 
 
 
 *PC uptime: 
  7:51am  up 0 days,  1:41
 
*Locked or 'Suspect' file(s) found... 
 
 
 *Tasks (services): 
   0 System Process  
   4 System          
 628 smss.exe        
 676 csrss.exe       Title: 
 704 winlogon.exe    Title: NetDDE Agent
 748 services.exe    Svcs:  Eventlog,PlugPlay
 760 lsass.exe       Svcs:  PolicyAgent,ProtectedStorage,SamSs
 944 svchost.exe     Svcs:  RpcSs
1044 svchost.exe     Svcs:  AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching
ompatibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,s
clogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,wuauserv
1196 svchost.exe     Svcs:  Dnscache
1228 svchost.exe     Svcs:  LmHosts,RemoteRegistry,SSDPSRV,WebClient
1448 spoolsv.exe     Svcs:  Spooler
1756 explorer.exe    Title: Program Manager
1968 nvsvc32.exe     Svcs:  NVSvc
2012 SMAgent.exe     Svcs:  SoundMAX Agent Service (default)
 248 SMax4PNP.exe    Title: SMax4PNP
 300 SMax4.exe       Title: SoundMax4
 344 rundll32.exe    Title: MediaCenter
 404 jusched.exe     Title: OleMainThreadWndName
1688 iexplore.exe    Title: Avant Browser
1484 SALAMAND.EXE    Title: Servant Salamander
1620 cmd.exe         Title: C:\WINDOWS\System32\cmd.exe
1256 ntvdm.exe       
 896 tlist.exe       
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4853E31D-4B02-4EA4-881F-83DF68943755}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{AEAF98EA-4ED8-4EB9-B818-F447679C1EEA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{AEAF98EA-4ED8-4EB9-B818-F447679C1EEA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key: 
 

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls	REG_SZ	


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read       	 BUILTIN\Users
(IO)    ALLOW  Read       	 BUILTIN\Users
(NI)    ALLOW  Read       	 BUILTIN\Power Users
(IO)    ALLOW  Read       	 BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read         	 BUILTIN\Users
Read         	 BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


 *ACLs list for *.* in 'junk' folder: (if exist) 


Fri May 21 07:51:45 2004 -- *Find-All 'Windows'.hiv list: 
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\winBackup.hiv
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\windows.txt
A          C:\FindallwinBackup.hiv



#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 08:00 AM

Looks good!

Final steps, run salamand again, click once
on "left" menu to be in C:\

--------------------------------------------------------
Into the visual bottom narrow box, with:
--------------------------------------------------------
C:\>
--------------------------------------------------------
Copy &paste the following 2 commands, one at a time,
hit enter.
You should get (processed..) confirmation on first,
and nothing on the second.
Close the prompt box after each
command return.
(Command #1) (copy entire hilited command)

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f

(Command #2)


attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111

Close the program, go to The C:\junk<- folder, and Zip it up!!
Submit the zipped junk on the same page (My Find-All link) by
clicking on the 'files for submissions' link.
It will open your email client, navigate and add
it as attachment! Thanks ;)

Lastly, delete 'junk' folder(s) from C:

Run again, (as they should work well now)
Shredder
Ad-Aware
Spybot!

Feel free to post follow up log(s) when done!
(Find-All and hijakthis)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 08:13 AM

HJT Log
Logfile of HijackThis v1.97.7
Scan saved at 8:12:23 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38051.8777314815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


#14 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 08:13 AM

Find All log

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==-- 
 

Fri May 21 08:13:18 2004 -- Results: 
*System Info: 

Microsoft Windows XP [Version 5.1.2600]
C: "" (A856:80F1) - FS:NTFS clusters:4k
Total: 60 011 610 112 [56G] - Free: 36 859 457 536 [34G]
 
 
 *IE version and Service packs: 
             6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion	REG_SZ;SP1;Q832894;Q330994;Q837009;Q831167;

 *Google Toolbar version and Attributes: 
 Defaults: "A";"R" 
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google
 
 *UserAgent: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 
 *Wmplayer version: 
                9.0.0.2980  C:\Program Files\Windows Media Player\wmplayer.exe
                6.4.9.1125  C:\Program Files\Windows Media Player\mplayer2.exe
 
 *M$Java version: 
 
 
 *PC uptime: 
  8:13am  up 0 days,  2:03
 
*Locked or 'Suspect' file(s) found... 
 
 
 *Tasks (services): 
   0 System Process  
   4 System          
 628 smss.exe        
 676 csrss.exe       Title: 
 704 winlogon.exe    Title: NetDDE Agent
 748 services.exe    Svcs:  Eventlog,PlugPlay
 760 lsass.exe       Svcs:  PolicyAgent,ProtectedStorage,SamSs
 944 svchost.exe     Svcs:  RpcSs
1044 svchost.exe     Svcs:  AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitching
ompatibility,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,s
clogon,SENS,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,wuauserv
1196 svchost.exe     Svcs:  Dnscache
1228 svchost.exe     Svcs:  LmHosts,RemoteRegistry,SSDPSRV,WebClient
1448 spoolsv.exe     Svcs:  Spooler
1756 explorer.exe    Title: Program Manager
1968 nvsvc32.exe     Svcs:  NVSvc
2012 SMAgent.exe     Svcs:  SoundMAX Agent Service (default)
 248 SMax4PNP.exe    Title: SMax4PNP
 300 SMax4.exe       Title: SoundMax4
 344 rundll32.exe    Title: MediaCenter
 404 jusched.exe     Title: OleMainThreadWndName
1148 msmsgs.exe      Title: 
2008 iexplore.exe    Title: Avant Browser
1368 Ad-aware.exe    Title: Ad-aware 6
 392 HijackThis.exe  Title: HijackThis
 816 notepad.exe     Title: hijackthis.log - Notepad
1360 cmd.exe         Title: C:\WINDOWS\System32\cmd.exe
1836 ntvdm.exe       
 364 tlist.exe       
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key: 
 

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls	REG_SZ	


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read       	 BUILTIN\Users
(IO)    ALLOW  Read       	 BUILTIN\Users
(NI)    ALLOW  Read       	 BUILTIN\Power Users
(IO)    ALLOW  Read       	 BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read         	 BUILTIN\Users
Read         	 BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


 *ACLs list for *.* in 'junk' folder: (if exist) 

Error: Cannot open file [C:\junk\*.*]

Fri May 21 08:13:18 2004 -- *Find-All 'Windows'.hiv list: 
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\winBackup.hiv
A          C:\DOCUME~1\Gryphon\Desktop\Find-All\windows.txt
A          C:\FindallwinBackup.hiv



#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 21 May 2004 - 08:17 AM

Clean bill on both counts! :)

Just fix checked those in hijackthis,

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

And you're all set!
Reset your home page, restore defaults in IE options; Stay out of trouble! B)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 roffles

roffles

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 May 2004 - 08:20 AM

Thanks a ton for your help and time! Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button