• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mrose

searchx removal

25 posts in this topic

I can't seem to get rid of searchx and whatever else I'm not finding. I've run cwshredder, ad aware and hijackthis, deleted the appropriate entries in the registry but after 1-2 reboots my homepage is hijacked again. Weird thing is that when I run findall.bat it initially says something bout sqlpeii.dll read error but does not say anything about it in the log. And when I try to locate that file its nowhere to be found. Does that have anything to do with my problem. How do I permanently get rid of this thing...its driving me nuts. My find all log file below as well as hijack this log. thanks.

 

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--

 

 

Fri May 21 11:05:49 2004 -- Results:

*System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (0871:FAD6) - FS:NTFS clusters:4k

Total: 4 195 827 712 [3.9G] - Free: 867 954 688 [828M]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

*Google Toolbar version and Attributes:

2.0.110.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

File not found - C:\Program Files\google\googletoolbar2.dll

A C:\Program Files\google\GoogleToolbar1.dll

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

11:05am up 0 days, 0:39

 

*Locked or 'Suspect' file(s) found...

 

 

*Tasks (services):

0 System Process

8 System

144 SMSS.EXE

168 CSRSS.EXE Title:

164 WINLOGON.EXE Title: NetDDE Agent

224 SERVICES.EXE Svcs: Alerter,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

236 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs

404 svchost.exe Svcs: RpcSs

456 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv,WZCSVC

508 spoolsv.exe Svcs: Spooler

592 cpqalert.exe Svcs: CPQALERT

612 defwatch.exe Svcs: DefWatch

644 LogWatNT.exe Svcs: LogWatch

704 rtvscan.exe Svcs: Norton AntiVirus Server

740 regsvc.exe Svcs: RemoteRegistry

760 LOCATOR.EXE Svcs: RpcLocator

788 mstask.exe Svcs: Schedule

824 SDServ.exe Svcs: SDService

868 SLClient.exe Svcs: SLClient

948 Win32sl.exe Svcs: Win32sl

972 WinMgmt.exe Svcs: WinMgmt

1004 svchost.exe Svcs: wuauserv

1012 TRIGGAG.exe

1140 cpqdmi.exe Svcs: CPQDMI

1296 sxplog32.exe Title: Software Management Product Installer

312 explorer.exe Title: Program Manager

1452 triggusr.exe Title: SDUSERTRIGGERWND

1524 OUTLOOK.EXE Title: Inbox - Microsoft Outlook

1592 MAPISP32.EXE Title: WMS Idle

1428 agentsvr.exe Title: Menu Parent Window

1412 EXCEL.EXE Title: Microsoft Excel - Weekly Unbilled as of May 21 2004

1348 IEXPLORE.EXE Title: SWI Forums -> Arrg, about:blank - Microsoft Internet Explorer

1336 CMD.EXE Title: C:\WINNT\system32\cmd.exe

1460 NTVDM.EXE

1320 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21B56D79-4E5A-41CF-82A7-691274D2E440}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

 

Error: Cannot open file [C:\junk\*.*]

 

Fri May 21 11:05:59 2004 -- *Find-All 'Windows'.hiv list:

A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\winBackup.hiv

A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

 

 

 

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:10:41 AM, on 5/21/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\SxpInst\sxplog32.exe

C:\WINNT\Explorer.EXE

C:\TNGSD\BIN\triggusr.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\WINNT\msagent\AgentSvr.exe

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\marc_r\My Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe

O2 - BHO: (no name) - {21B56D79-4E5A-41CF-82A7-691274D2E440} - C:\WINNT\system32\pgbgca.dll

O4 - HKLM\..\Run: [sDJobCheck] triggusr.exe

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://info.vnsny.org/intranet/Portal/resources/msddsc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8126.3221412037

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VNSNY.ORG

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VNSNY.ORG

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VNSNY.ORG

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Share this post


Link to post
Share on other sites

Use the Registrar Lite program. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Rename the Windows key in the left pane to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

 

"C:\WINNT\System32\sqlpeii.dll", hit 'apply' and 'ok' to set.

 

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the sqlpeii.dll in C:\WINNT\System32.

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINNT\System32\sqlpeii.dll

Copy and paste this into the 'To' box: C:\Junk\sqlpeii.dll

 

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the final steps.

Share this post


Link to post
Share on other sites

It won't let me rename it....gives me a "error renaming key" error then when I try again it says it exists already. So its making a new folder but its not renaming the Windows folder. What should I do?

Share this post


Link to post
Share on other sites

Try this. Download 'Dllfix.exe' from: http://tools.zerosrealm.com/dllfix.exe

 

It is a self-extracting archive; double click on it.

 

Open the DLLFIX folder and double click on Start.bat. At the main menu, press '2' (Run Fix) and enter.

 

At the second menu, press '1' (Enter DLL Name Manually) and enter

 

At the prompt, enter: sqlpeii.dll

 

Your system will reboot in 15 seconds and begin the fix.

 

When finished, there will be a log (log.txt) in the dllfix folder, post it in your next reply.

Share this post


Link to post
Share on other sites

this is the log from dllfix

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Mon 05/24/2004

8:36a

 

Backing up Registry Hive

 

Deleting Windows Key

 

Restoring Registry Hive

 

Deleting temp value

Share this post


Link to post
Share on other sites

Hmm... that is a bit briefer than I was expecting. Could you post a new HJT log.

Share this post


Link to post
Share on other sites

sure...here it is.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:31:51 AM, on 5/24/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\SxpInst\sxplog32.exe

C:\WINNT\Explorer.EXE

C:\TNGSD\BIN\triggusr.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\WINNT\msagent\AgentSvr.exe

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\marc_r\My Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\pgbgca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe

O2 - BHO: (no name) - {21B56D79-4E5A-41CF-82A7-691274D2E440} - C:\WINNT\system32\pgbgca.dll

O4 - HKLM\..\Run: [sDJobCheck] triggusr.exe

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://info.vnsny.org/intranet/Portal/resources/msddsc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8126.3221412037

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VNSNY.ORG

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VNSNY.ORG

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VNSNY.ORG

Share this post


Link to post
Share on other sites

I should mention that when I ran dllfix it give me an error message while running that said something like:

 

Cannot import app.reg...some keys are open by the system or other processes

Share this post


Link to post
Share on other sites

DLed and ran the new dllfix. Didn't touch it for a good five minutes but it kept repeating the error message "Error: The system was unable to find registered key or value"

 

Had to close it out. It didn't reboot the system. Heres the log it spit out.

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Mon 05/24/2004

10:58a

 

Backing up Registry Hive

 

Deleting Windows Key

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

Share this post


Link to post
Share on other sites

thats really strange.

let me look into it.

 

i will check back later.

can you post a findall again please?

Share this post


Link to post
Share on other sites

absolutely. I will post a bump again tomorrow morning when I come in. this is my work computer. Thanks for your help.

 

--==***@@@ 'FIND-ALL' VERSION 6 -5/21 @@@***==--

 

 

Mon May 24 16:22:25 2004 -- Results:

*System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (0871:FAD6) - FS:NTFS clusters:4k

Total: 4 195 827 712 [3.9G] - Free: 846 213 120 [807M]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

 

*Google Toolbar version and Attributes:

2.0.110.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

File not found - C:\Program Files\google\googletoolbar2.dll

A C:\Program Files\google\GoogleToolbar1.dll

 

*UserAgent:

 

*Wmplayer version:

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINNT\System32\msjava.dll

 

 

*PC uptime:

4:22pm up 0 days, 2:37

 

*Locked or 'Suspect' file(s) found...

 

 

*Tasks (services):

0 System Process

8 System

144 SMSS.EXE

168 CSRSS.EXE Title:

164 WINLOGON.EXE Title: NetDDE Agent

224 SERVICES.EXE Svcs: Alerter,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,M

ssenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

236 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs

408 svchost.exe Svcs: RpcSs

456 svchost.exe Svcs: EventSystem,NtmsSvc,RasMan,SENS,TapiSrv,WZCSVC

512 spoolsv.exe Svcs: Spooler

588 cpqalert.exe Svcs: CPQALERT

612 defwatch.exe Svcs: DefWatch

644 LogWatNT.exe Svcs: LogWatch

704 rtvscan.exe Svcs: Norton AntiVirus Server

748 regsvc.exe Svcs: RemoteRegistry

768 LOCATOR.EXE Svcs: RpcLocator

796 mstask.exe Svcs: Schedule

844 SDServ.exe Svcs: SDService

880 SLClient.exe Svcs: SLClient

956 Win32sl.exe Svcs: Win32sl

980 WinMgmt.exe Svcs: WinMgmt

1012 svchost.exe Svcs: wuauserv

1024 TRIGGAG.exe

1148 cpqdmi.exe Svcs: CPQDMI

964 sxplog32.exe Title: Software Management Product Installer

916 explorer.exe Title: Program Manager

1348 triggusr.exe Title: SDUSERTRIGGERWND

1288 OUTLOOK.EXE Title: Milicent Archive - Microsoft Outlook

592 MAPISP32.EXE Title: WMS Idle

376 EXTRA.exe Title: SESSION1 - EXTRA! Personal Client

1440 agentsvr.exe Title: Menu Parent Window

1512 SNABASE.EXE Title: SnaServer Client

352 IEXPLORE.EXE

332 IEXPLORE.EXE

308 IEXPLORE.EXE

420 IEXPLORE.EXE

1568 IEXPLORE.EXE

304 IEXPLORE.EXE

716 IEXPLORE.EXE

1588 CMD.EXE Title: C:\WINNT\system32\cmd.exe

1624 NTVDM.EXE

1632 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F76D35-3B9C-48AC-8FD0-E8E416A77B2F}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{C1743388-5AA8-4CBF-BBBB-4351FE3183DD}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

 

Error: Cannot open file [C:\junk\*.*]

 

Mon May 24 16:22:36 2004 -- *Find-All 'Windows'.hiv list:

A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\winBackup.hiv

A C:\DOCUME~1\marc_r\MYDOCU~1\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

do you have admin rights on this computer? i think that may be the whole problem with removal.

Share this post


Link to post
Share on other sites

Thats probably the case. Is there anyway I could make a boot disk as a way around that?? Also, its strange but I can rename other folders in the registry....just not the one we need to. Any final thoughts before I just give up and leave it on here? Thanks.

Share this post


Link to post
Share on other sites

well the acl shows this:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

 

So if you are in those user groups you dont have rights.

 

You really need administrator access one way or another to effect removal.

Share this post


Link to post
Share on other sites

good luck getting my admin guy to even admit he doen't know something and take the right course of action. he thinks norton takes care of all and that i'm just a computer illiterate idiot. thank anyways. this forum is a tremendous resource. -Marc

Share this post


Link to post
Share on other sites

reglite can act a bit funny on 2K.

Not sure about the other issues, but can you try

running the latest version

of 'Find-All':

http://freeatlast.100free.com/Find-All.zip

 

-Unzip, run 'Find-All.Cmd, post the log!

 

If you didn't have sufficient rights, regDacl

would't list all those groups there!

 

Also open reglite into the key and post the "size" listed under

'type' (next to the value name in the data editor)

 

This is strange:

*Locked or 'Suspect' file(s) found...

 

 

Run a search for: C:\WINNT\system32\sqlpeii.dll

And see whether it's found. (unlikely)

 

Also try RightClicking on reglite->RunAs...

Select the Administrator ..........

Are you able to run it?

It will run as new install then! (unless you'll be asked for password)

Share this post


Link to post
Share on other sites

Try searching for files containing "hydrocodone" in c:\winnt

note the filename

start regedit

search for the filename and delete those entry's

run LASTEST CWShredder

restart

use HIJACK to cleanup startkeys

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0