• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
aaroneasley

about:blank/search virus

9 posts in this topic

Hey,

First of all, thanks in advance to anyone who can help me out here. I've had the virus for a few weeks where my homepage is always the same thing, and it's really getting old. It seems like it's making my computer run slower, as well, though that might just be my imagination. Again, any thank you so much to anyone who can help.

Here is my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:35:19 AM, on 5/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE

C:\windows\system\hpsysdrv.exe

C:\Windows\system32\HpSrvUI.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\WINDOWS\system32\HPConfig.exe

C:\WINDOWS\system32\RadioSvr.exe

C:\WINDOWS\system32\HpRfDev.exe

C:\Program Files\Common Files\Symantec Shared\NMain.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\NORTON~1\navw32.exe

C:\PROGRA~1\NORTON~1\QServer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A} - C:\WINDOWS\System32\mbfdcaa.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I'm completely new at all this, so I'll probably need to be walked through every little step. Thanks again!

 

Aaron

Share this post


Link to post
Share on other sites

Download:

-'Find-All.zip'

From:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

 

Download, install and run:

Registrar Lite

 

First,

Run reglite, copy and paste this key to the

address bar, hit 'go' tab:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

DoubleClick on 'AppInit_Dlls' value on the

right side, copy and paste here the following fields:

-Size

-Value

 

Next, *UNzip the 'Find-All' folder.

DoubleClick on the 'Find-All.bat' file inside.

Follow instructions and post the log!

Share this post


Link to post
Share on other sites

Thanks for responding so quickly

 

size: 29

value: C:\WINDOWS\System32\logc.dll

 

--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--

 

 

Sat May 22 03:09:27 2004 -- Results:

*System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "HPNOTEBOOK" (8000:91D4) - FS:NTFS clusters:4k

Total: 39 983 083 520 [37G] - Free: 22 744 875 008 [21G]

 

 

*IE version and Service packs:

6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;Q313675;Q824145;Q330994;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q312461"=""

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

3:09am up 0 days, 1:06

 

*Locked or 'Suspect' file(s) found...

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

 

 

*Tasks (services):

0 System Process

4 System

740 smss.exe

792 csrss.exe Title:

816 winlogon.exe Title: NetDDE Agent

880 services.exe Svcs: Eventlog,PlugPlay

892 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

1108 svchost.exe Svcs: RpcSs

1268 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,Irmon,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,

chedule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkW

s,uploadmgr

1576 svchost.exe Svcs: Dnscache

1684 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1772 explorer.exe Title: Program Manager

552 spoolsv.exe Svcs: Spooler

1180 carpserv.exe

1204 hptasks.exe Title: HP display

1244 SynTPLpr.exe Title: Touchpad driver helper window

1260 SynTPEnh.exe Title: Touchpad driver tray icon window

1324 ONETOUCH.EXE Title: OnScreen Display Window

1356 hpsysdrv.exe Title: HPSYSDRV

1476 HpSrvUI.exe Title: _HPSilentMessageWnd_

1536 Navapw32.exe Title: Norton AntiVirus

1544 ACMonitor_X83.exACMonitor_X83Title: ACMonitor_X83

1588 AcBtnMgr_X83.exeAcBtnMgr_X83Title: AcBtnMgr_X83

1604 ati2evxx.exe Svcs: Ati HotKey Poller

1696 realsched.exe Title: Notification Wnd for RNAdmin

1764 PSFree.exe Title:

1976 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter

540 HPConfig.exe Svcs: HPConfig

196 RadioSvr.exe Svcs: RadioSvr

492 HpRfDev.exe Svcs: HpRfDev

2676 NMain.exe Title: Norton AntiVirus

3684 Navapsvc.exe Svcs: navapsvc

1864 NAVW32.exe Title: Norton AntiVirus

3628 IEXPLORE.EXE Title: SWI Forums -> Replying in about:blank/search virus - Microsoft Internet Explorer

2056 HijackThis.exe Title: HijackThis

2176 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2396 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}]

@="myBar BHO"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

 

Error: Cannot open file [C:\junk\*.*]

*Contents of file(s) in 'junk' folder:

 

Sat May 22 03:09:43 2004 -- *Find-All 'Windows'.hiv list:

A C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CHXG9ODL\Find-All[1]\Find-All\winBackup.hiv

A C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CHXG9ODL\Find-All[1]\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Look at the last section on your Find-All log!

You are running it from temp internet files???!!!

It doesn't run properly that way!

 

Put it in a normal folder.

e.g C:\tools\Find-All..

Or any other "normal" path!

 

Do the same with hijackthis!

 

Start with these:

In hijackthis fix :

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

 

Reboot and delete both trojans from Windows:

-win.exe

-alchem.exe

 

 

2.) Go to:

http://windowsupdate.microsoft.com

Scan and apply all needed updates, including but

not limited to IE6/SP1

! Unless you do so your problem can't be solved.

 

I'm concerned that the fix may not work the

way you are running programs.

Do you always open from location instead

of saving to disk? :blink:

 

I changed something in the Find-all package

anyway, delete your current, re-download it

and post another log when done with all the above,

And another hijackthis log.

Share this post


Link to post
Share on other sites

I did a full search and couldn't find the file win.exe

 

Logfile of HijackThis v1.97.7

Scan saved at 3:02:11 PM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\HPConfig.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RadioSvr.exe

C:\WINDOWS\system32\HpRfDev.exe

C:\WINDOWS\System32\msiexec.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE

C:\windows\system\hpsysdrv.exe

C:\Windows\system32\HpSrvUI.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A} - C:\WINDOWS\System32\mbfdcaa.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--

 

 

Sat May 22 15:04:48 2004 -- Results:

*System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "HPNOTEBOOK" (8000:91D4) - FS:NTFS clusters:4k

Total: 39 983 083 520 [37G] - Free: 20 148 170 752 [19G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q312461"=""

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

3:04pm up 0 days, 0:09

 

*Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\LOGC.DLL +++ File read error

\\?\C:\WINDOWS\System32\LOGC.DLL +++ File read error

 

 

*Tasks (services):

0 System Process

4 System

740 smss.exe

824 csrss.exe Title:

852 winlogon.exe Title: NetDDE Agent

920 services.exe Svcs: Eventlog,PlugPlay

932 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

1160 svchost.exe Svcs: RpcSs

1380 svchost.exe Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,Irmon,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sch

dule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,

ploadmgr,W32

1620 svchost.exe Svcs: Dnscache

1656 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

552 spoolsv.exe Svcs: Spooler

1336 ati2evxx.exe Svcs: Ati HotKey Poller

136 HPConfig.exe Svcs: HPConfig

204 explorer.exe Title: Program Manager

264 RadioSvr.exe Svcs: RadioSvr

564 HpRfDev.exe Svcs: HpRfDev

1304 msiexec.exe Svcs: MSIServer

768 carpserv.exe

1528 hptasks.exe Title: HP display

1988 SynTPLpr.exe Title: Touchpad driver helper window

640 SynTPEnh.exe Title: Touchpad driver tray icon window

1520 ONETOUCH.EXE Title: OnScreen Display Window

1196 hpsysdrv.exe Title: HPSYSDRV

1948 HpSrvUI.exe Title: _HPSilentMessageWnd_

148 Navapw32.exe Title: Norton AntiVirus

2032 ACMonitor_X83.exACMonitor_X83Title: ACMonitor_X83

800 AcBtnMgr_X83.exeAcBtnMgr_X83Title: AcBtnMgr_X83

568 qttask.exe Title: QTPlayer Tray Icon

1888 realsched.exe Title: Notification Wnd for RNAdmin

952 PSFree.exe Title:

1940 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter

3924 iexplore.exe Title: SWI Forums -> Replying in about:blank/search virus - Microsoft Internet Explorer

1900 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2136 ntvdm.exe

3644 wuauclt.exe Title: Auto Update Client Window

2216 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}]

@="myBar BHO"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

 

Error: Cannot open file [C:\junk\*.*]

*Contents of file(s) in 'junk' folder:

 

Sat May 22 15:04:54 2004 -- *Find-All 'Windows'.hiv list:

A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\winBackup.hiv

A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Ok, now we can proceed with the actual fix:

 

Run reglite:

 

Paste the same key to the address bar,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

 

-Rename the Folder Windows

to NotWindows highlighted as a purple folder

in the left hand pane of reglite.

 

-DoubleClick "AppInit_DLLs" value on the right pane,

and clear the data value:

C:\WINDOWS\System32\LOGC.DLL -< delete this line ,

'Apply' and 'ok' to set.

 

-Rename the NotWindows folder back to its

original name Windows

 

-Restart computer

 

Open the subfolder "Tools" inside Find-All folder.

DoubleClick (once) on the "Xfix.bat" file inside.

Nothing would appear to happen but it should

create a folder (junk) in your root drive,

&restore/clean registry keys.

 

Navigate to System32, find: LOGC.DLL, hilite

and use the folder's top menu

option : "edit-> move to folder..."

Browse to and select: C:\junk folder.

'ok' it.

Re-run Find-All.bat and post fresh output!

Share this post


Link to post
Share on other sites

thanks again, here's the log

 

--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--

 

 

Sat May 22 18:36:51 2004 -- Results:

*System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "HPNOTEBOOK" (8000:91D4) - FS:NTFS clusters:4k

Total: 39 983 083 520 [37G] - Free: 20 584 185 856 [19G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q312461"=""

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

6:36pm up 0 days, 0:08

 

*Locked or 'Suspect' file(s) found...

* result\\?\C:\junk\LOGC.DLL

 

 

*Tasks (services):

0 System Process

4 System

744 smss.exe

796 csrss.exe Title:

820 winlogon.exe Title: NetDDE Agent

864 services.exe Svcs: Eventlog,PlugPlay

876 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

1064 svchost.exe Svcs: RpcSs

1216 svchost.exe Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,Irmon,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sch

dule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,

ploadmgr,W32

1492 svchost.exe Svcs: Dnscache

1548 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient

1672 explorer.exe Title: Program Manager

1892 spoolsv.exe Svcs: Spooler

124 carpserv.exe

164 hptasks.exe Title: HP display

176 SynTPLpr.exe Title: Touchpad driver helper window

184 SynTPEnh.exe Title: Touchpad driver tray icon window

200 ONETOUCH.EXE Title: OnScreen Display Window

212 hpsysdrv.exe Title: HPSYSDRV

240 HpSrvUI.exe Title: _HPSilentMessageWnd_

268 Navapw32.exe Title: Norton AntiVirus

320 ACMonitor_X83.exACMonitor_X83Title: ACMonitor_X83

332 AcBtnMgr_X83.exeAcBtnMgr_X83Title: AcBtnMgr_X83

364 ati2evxx.exe Svcs: Ati HotKey Poller

424 HPConfig.exe Svcs: HPConfig

452 realsched.exe Title: Notification Wnd for RNAdmin

540 RadioSvr.exe Svcs: RadioSvr

556 PSFree.exe Title:

652 HpRfDev.exe Svcs: HpRfDev

1384 LUCOMS~1.EXE Title: OleMainThreadWndName

1716 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter

2340 iexplore.exe Title: SWI Forums -> about:blank/search virus - Microsoft Internet Explorer

2780 aim.exe Title: aaron50lbs' Buddy List Window

3408 wuauclt.exe Title: Auto Update Client Window

1056 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

2172 ntvdm.exe

2596 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}]

@="myBar BHO"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access HEWLETT-MY4V2YB\Owner

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access HEWLETT-MY4V2YB\Owner

 

 

*ACLs list for *.* in 'junk' folder: (if exist)

 

*Contents of file(s) in 'junk' folder:

logc.dll

 

Sat May 22 18:36:54 2004 -- *Find-All 'Windows'.hiv list:

A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\winBackup.hiv

A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Great progress!

 

Final steps:

 

In the 'Find-All'\Tools Subfolder, DoubleClick on "Zapcacls.bat" file!

File should be *free now!

You should find "junk.zip" created in the folder.

Sumbit it on my page (Find-All page) by

clicking on the 'files for submissions' link.

It will open your email client, navigate and add it

as attachment! Thanks ;)

 

Lastly, delete:

-"junk" folder from C:.

- 'Find-All' folder(s) no longer needed ;)

- Backup file created in your root drive C:

(FindallwinBackup.hiv, 8kb)

 

Use the following tools to clean all the remains:

CWShredder, have it fix all it finds!

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Download, install and run: Ad-Aware6:

http://www.lavasoftusa.com/software/adaware/

update before the scan, select 'customise'

options, select your drive, scan and fix

all found problems.

 

Good luck :)

Share this post


Link to post
Share on other sites

thanks so much! Everything seems to be running fine now, and hopefully it will still that way. I certainly owe you!

 

Aaron

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0