Jump to content


Photo

searchx removal


  • Please log in to reply
24 replies to this topic

#1 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 May 2004 - 10:11 AM

I can't seem to get rid of searchx and whatever else I'm not finding. I've run cwshredder, ad aware and hijackthis, deleted the appropriate entries in the registry but after 1-2 reboots my homepage is hijacked again. Weird thing is that when I run findall.bat it initially says something bout sqlpeii.dll read error but does not say anything about it in the log. And when I try to locate that file its nowhere to be found. Does that have anything to do with my problem. How do I permanently get rid of this thing...its driving me nuts. My find all log file below as well as hijack this log. thanks.

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--


Fri May 21 11:05:49 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (0871:FAD6) - FS:NTFS clusters:4k
Total: 4 195 827 712 [3.9G] - Free: 867 954 688 [828M]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

*Google Toolbar version and Attributes:
2.0.110.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
File not found - C:\Program Files\google\googletoolbar2.dll
A C:\Program Files\google\GoogleToolbar1.dll

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINNT\System32\msjava.dll


*PC uptime:
11:05am up 0 days, 0:39

*Locked or 'Suspect' file(s) found...


*Tasks (services):
0 System Process
8 System
144 SMSS.EXE
168 CSRSS.EXE Title:
164 WINLOGON.EXE Title: NetDDE Agent
224 SERVICES.EXE Svcs: Alerter,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
236 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
456 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv,WZCSVC
508 spoolsv.exe Svcs: Spooler
592 cpqalert.exe Svcs: CPQALERT
612 defwatch.exe Svcs: DefWatch
644 LogWatNT.exe Svcs: LogWatch
704 rtvscan.exe Svcs: Norton AntiVirus Server
740 regsvc.exe Svcs: RemoteRegistry
760 LOCATOR.EXE Svcs: RpcLocator
788 mstask.exe Svcs: Schedule
824 SDServ.exe Svcs: SDService
868 SLClient.exe Svcs: SLClient
948 Win32sl.exe Svcs: Win32sl
972 WinMgmt.exe Svcs: WinMgmt
1004 svchost.exe Svcs: wuauserv
1012 TRIGGAG.exe
1140 cpqdmi.exe Svcs: CPQDMI
1296 sxplog32.exe Title: Software Management Product Installer
312 explorer.exe Title: Program Manager
1452 triggusr.exe Title: SDUSERTRIGGERWND
1524 OUTLOOK.EXE Title: Inbox - Microsoft Outlook
1592 MAPISP32.EXE Title: WMS Idle
1428 agentsvr.exe Title: Menu Parent Window
1412 EXCEL.EXE Title: Microsoft Excel - Weekly Unbilled as of May 21 2004
1348 IEXPLORE.EXE Title: SWI Forums -> Arrg, about:blank - Microsoft Internet Explorer
1336 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1460 NTVDM.EXE
1320 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21B56D79-4E5A-41CF-82A7-691274D2E440}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]

Fri May 21 11:05:59 2004 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\winBackup.hiv
A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv






Logfile of HijackThis v1.97.7
Scan saved at 11:10:41 AM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\marc_r\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: (no name) - {21B56D79-4E5A-41CF-82A7-691274D2E440} - C:\WINNT\system32\pgbgca.dll
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://info.vnsny.or...rces/msddsc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8126.3221412037
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VNSNY.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VNSNY.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VNSNY.ORG

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 01:46 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
Posted Image

#3 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 May 2004 - 02:34 PM

okie dokie...heres the value

C:\WINNT\system32\sqlpeii.dll

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 02:52 PM

Use the Registrar Lite program. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Rename the Windows key in the left pane to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

"C:\WINNT\System32\sqlpeii.dll", hit 'apply' and 'ok' to set.

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the sqlpeii.dll in C:\WINNT\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINNT\System32\sqlpeii.dll
Copy and paste this into the 'To' box: C:\Junk\sqlpeii.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the final steps.
Posted Image

#5 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 May 2004 - 03:06 PM

It won't let me rename it....gives me a "error renaming key" error then when I try again it says it exists already. So its making a new folder but its not renaming the Windows folder. What should I do?

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 03:45 PM

can you now see the sqlpeii.dll in C:\WINNT\System32?
Posted Image

#7 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 May 2004 - 05:58 PM

nope...still not there.

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 04:40 AM

Try this. Download 'Dllfix.exe' from: http://tools.zerosrealm.com/dllfix.exe

It is a self-extracting archive; double click on it.

Open the DLLFIX folder and double click on Start.bat. At the main menu, press '2' (Run Fix) and enter.

At the second menu, press '1' (Enter DLL Name Manually) and enter

At the prompt, enter: sqlpeii.dll

Your system will reboot in 15 seconds and begin the fix.

When finished, there will be a log (log.txt) in the dllfix folder, post it in your next reply.
Posted Image

#9 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 07:43 AM

this is the log from dllfix

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Mon 05/24/2004
8:36a

Backing up Registry Hive

Deleting Windows Key

Restoring Registry Hive

Deleting temp value

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 24 May 2004 - 09:30 AM

Hmm... that is a bit briefer than I was expecting. Could you post a new HJT log.
Posted Image

#11 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 09:31 AM

sure...here it is.

Logfile of HijackThis v1.97.7
Scan saved at 10:31:51 AM, on 5/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\TNGSD\BIN\triggusr.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\marc_r\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: (no name) - {21B56D79-4E5A-41CF-82A7-691274D2E440} - C:\WINNT\system32\pgbgca.dll
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://info.vnsny.or...rces/msddsc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8126.3221412037
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VNSNY.ORG
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VNSNY.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VNSNY.ORG

#12 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 09:44 AM

I should mention that when I ran dllfix it give me an error message while running that said something like:

Cannot import app.reg...some keys are open by the system or other processes

#13 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 24 May 2004 - 09:53 AM

i put up a new version of dllfix last night. Please download the newest and try it again.



#14 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 10:06 AM

DLed and ran the new dllfix. Didn't touch it for a good five minutes but it kept repeating the error message "Error: The system was unable to find registered key or value"

Had to close it out. It didn't reboot the system. Heres the log it spit out.

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Mon 05/24/2004
10:58a

Backing up Registry Hive

Deleting Windows Key

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

#15 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 10:46 AM

any thoughts???

#16 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 02:55 PM

bump

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 24 May 2004 - 02:58 PM

thats really strange.
let me look into it.

i will check back later.
can you post a findall again please?



#18 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2004 - 03:23 PM

absolutely. I will post a bump again tomorrow morning when I come in. this is my work computer. Thanks for your help.

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--


Mon May 24 16:22:25 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (0871:FAD6) - FS:NTFS clusters:4k
Total: 4 195 827 712 [3.9G] - Free: 846 213 120 [807M]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

*Google Toolbar version and Attributes:
2.0.110.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
File not found - C:\Program Files\google\googletoolbar2.dll
A C:\Program Files\google\GoogleToolbar1.dll

*UserAgent:

*Wmplayer version:
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINNT\System32\msjava.dll


*PC uptime:
4:22pm up 0 days, 2:37

*Locked or 'Suspect' file(s) found...


*Tasks (services):
0 System Process
8 System
144 SMSS.EXE
168 CSRSS.EXE Title:
164 WINLOGON.EXE Title: NetDDE Agent
224 SERVICES.EXE Svcs: Alerter,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M
ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
236 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs
408 svchost.exe Svcs: RpcSs
456 svchost.exe Svcs: EventSystem,NtmsSvc,RasMan,SENS,TapiSrv,WZCSVC
512 spoolsv.exe Svcs: Spooler
588 cpqalert.exe Svcs: CPQALERT
612 defwatch.exe Svcs: DefWatch
644 LogWatNT.exe Svcs: LogWatch
704 rtvscan.exe Svcs: Norton AntiVirus Server
748 regsvc.exe Svcs: RemoteRegistry
768 LOCATOR.EXE Svcs: RpcLocator
796 mstask.exe Svcs: Schedule
844 SDServ.exe Svcs: SDService
880 SLClient.exe Svcs: SLClient
956 Win32sl.exe Svcs: Win32sl
980 WinMgmt.exe Svcs: WinMgmt
1012 svchost.exe Svcs: wuauserv
1024 TRIGGAG.exe
1148 cpqdmi.exe Svcs: CPQDMI
964 sxplog32.exe Title: Software Management Product Installer
916 explorer.exe Title: Program Manager
1348 triggusr.exe Title: SDUSERTRIGGERWND
1288 OUTLOOK.EXE Title: Milicent Archive - Microsoft Outlook
592 MAPISP32.EXE Title: WMS Idle
376 EXTRA.exe Title: SESSION1 - EXTRA! Personal Client
1440 agentsvr.exe Title: Menu Parent Window
1512 SNABASE.EXE Title: SnaServer Client
352 IEXPLORE.EXE
332 IEXPLORE.EXE
308 IEXPLORE.EXE
420 IEXPLORE.EXE
1568 IEXPLORE.EXE
304 IEXPLORE.EXE
716 IEXPLORE.EXE
1588 CMD.EXE Title: C:\WINNT\system32\cmd.exe
1624 NTVDM.EXE
1632 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F76D35-3B9C-48AC-8FD0-E8E416A77B2F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]

Mon May 24 16:22:36 2004 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\winBackup.hiv
A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\windows.txt
A C:\FindallwinBackup.hiv

#19 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 24 May 2004 - 04:28 PM

do you have admin rights on this computer? i think that may be the whole problem with removal.



#20 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 25 May 2004 - 08:03 AM

Thats probably the case. Is there anyway I could make a boot disk as a way around that?? Also, its strange but I can rename other folders in the registry....just not the one we need to. Any final thoughts before I just give up and leave it on here? Thanks.

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 08:22 AM

well the acl shows this:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users

So if you are in those user groups you dont have rights.

You really need administrator access one way or another to effect removal.



#22 mrose

mrose

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 25 May 2004 - 12:37 PM

good luck getting my admin guy to even admit he doen't know something and take the right course of action. he thinks norton takes care of all and that i'm just a computer illiterate idiot. thank anyways. this forum is a tremendous resource. -Marc

#23 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 May 2004 - 01:07 PM

reglite can act a bit funny on 2K.
Not sure about the other issues, but can you try
running the latest version
of 'Find-All':
http://freeatlast.10...om/Find-All.zip

-Unzip, run 'Find-All.Cmd, post the log!

If you didn't have sufficient rights, regDacl
would't list all those groups there!

Also open reglite into the key and post the "size" listed under
'type' (next to the value name in the data editor)

This is strange:
*Locked or 'Suspect' file(s) found...


Run a search for: C:\WINNT\system32\sqlpeii.dll
And see whether it's found. (unlikely)

Also try RightClicking on reglite->RunAs...
Select the Administrator ..........
Are you able to run it?
It will run as new install then! (unless you'll be asked for password)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#24 Primax

Primax

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 May 2004 - 08:54 AM

Try searching for files containing "hydrocodone" in c:\winnt
note the filename
start regedit
search for the filename and delete those entry's
run LASTEST CWShredder
restart
use HIJACK to cleanup startkeys

#25 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 11:28 AM

Wish it was that easy Primax.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button