Jump to content


Photo

about:blank/search virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 aaroneasley

aaroneasley

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 22 May 2004 - 02:51 AM

Hey,
First of all, thanks in advance to anyone who can help me out here. I've had the virus for a few weeks where my homepage is always the same thing, and it's really getting old. It seems like it's making my computer run slower, as well, though that might just be my imagination. Again, any thank you so much to anyone who can help.
Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 2:35:19 AM, on 5/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\system32\HpRfDev.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\PROGRA~1\NORTON~1\QServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A} - C:\WINDOWS\System32\mbfdcaa.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I'm completely new at all this, so I'll probably need to be walked through every little step. Thanks again!

Aaron

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 03:00 AM

Download:
-'Find-All.zip'
From:
http://www10.brinkst...last/pvtool.htm

Download, install and run:
Registrar Lite

First,
Run reglite, copy and paste this key to the
address bar, hit 'go' tab:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

DoubleClick on 'AppInit_Dlls' value on the
right side, copy and paste here the following fields:
-Size
-Value

Next, *UNzip the 'Find-All' folder.
DoubleClick on the 'Find-All.bat' file inside.
Follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 aaroneasley

aaroneasley

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 22 May 2004 - 03:10 AM

Thanks for responding so quickly

size: 29
value: C:\WINDOWS\System32\logc.dll

--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--


Sat May 22 03:09:27 2004 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HPNOTEBOOK" (8000:91D4) - FS:NTFS clusters:4k
Total: 39 983 083 520 [37G] - Free: 22 744 875 008 [21G]


*IE version and Service packs:
6.0.2600.0 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;Q313675;Q824145;Q330994;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q312461"=""


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1120 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
3:09am up 0 days, 1:06

*Locked or 'Suspect' file(s) found...
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.


*Tasks (services):
0 System Process
4 System
740 smss.exe
792 csrss.exe Title:
816 winlogon.exe Title: NetDDE Agent
880 services.exe Svcs: Eventlog,PlugPlay
892 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
1108 svchost.exe Svcs: RpcSs
1268 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,Irmon,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasAuto,RasMan,
chedule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkW
s,uploadmgr
1576 svchost.exe Svcs: Dnscache
1684 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1772 explorer.exe Title: Program Manager
552 spoolsv.exe Svcs: Spooler
1180 carpserv.exe
1204 hptasks.exe Title: HP display
1244 SynTPLpr.exe Title: Touchpad driver helper window
1260 SynTPEnh.exe Title: Touchpad driver tray icon window
1324 ONETOUCH.EXE Title: OnScreen Display Window
1356 hpsysdrv.exe Title: HPSYSDRV
1476 HpSrvUI.exe Title: _HPSilentMessageWnd_
1536 Navapw32.exe Title: Norton AntiVirus
1544 ACMonitor_X83.exACMonitor_X83Title: ACMonitor_X83
1588 AcBtnMgr_X83.exeAcBtnMgr_X83Title: AcBtnMgr_X83
1604 ati2evxx.exe Svcs: Ati HotKey Poller
1696 realsched.exe Title: Notification Wnd for RNAdmin
1764 PSFree.exe Title:
1976 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter
540 HPConfig.exe Svcs: HPConfig
196 RadioSvr.exe Svcs: RadioSvr
492 HpRfDev.exe Svcs: HpRfDev
2676 NMain.exe Title: Norton AntiVirus
3684 Navapsvc.exe Svcs: navapsvc
1864 NAVW32.exe Title: Norton AntiVirus
3628 IEXPLORE.EXE Title: SWI Forums -> Replying in about:blank/search virus - Microsoft Internet Explorer
2056 HijackThis.exe Title: HijackThis
2176 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2396 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}]
@="myBar BHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]
*Contents of file(s) in 'junk' folder:

Sat May 22 03:09:43 2004 -- *Find-All 'Windows'.hiv list:
A C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CHXG9ODL\Find-All[1]\Find-All\winBackup.hiv
A C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CHXG9ODL\Find-All[1]\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 04:02 AM

Look at the last section on your Find-All log!
You are running it from temp internet files???!!!
It doesn't run properly that way!

Put it in a normal folder.
e.g C:\tools\Find-All..
Or any other "normal" path!

Do the same with hijackthis!

Start with these:
In hijackthis fix :
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

Reboot and delete both trojans from Windows:
-win.exe
-alchem.exe


2.) Go to:
http://windowsupdate.microsoft.com
Scan and apply all needed updates, including but
not limited to IE6/SP1
! Unless you do so your problem can't be solved.

I'm concerned that the fix may not work the
way you are running programs.
Do you always open from location instead
of saving to disk? :blink:

I changed something in the Find-all package
anyway, delete your current, re-download it
and post another log when done with all the above,
And another hijackthis log.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 aaroneasley

aaroneasley

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 22 May 2004 - 03:05 PM

I did a full search and couldn't find the file win.exe

Logfile of HijackThis v1.97.7
Scan saved at 3:02:11 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\system32\HpRfDev.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mbfdcaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A} - C:\WINDOWS\System32\mbfdcaa.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--


Sat May 22 15:04:48 2004 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HPNOTEBOOK" (8000:91D4) - FS:NTFS clusters:4k
Total: 39 983 083 520 [37G] - Free: 20 148 170 752 [19G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q312461"=""


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
3:04pm up 0 days, 0:09

*Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOGC.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOGC.DLL +++ File read error


*Tasks (services):
0 System Process
4 System
740 smss.exe
824 csrss.exe Title:
852 winlogon.exe Title: NetDDE Agent
920 services.exe Svcs: Eventlog,PlugPlay
932 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
1160 svchost.exe Svcs: RpcSs
1380 svchost.exe Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,Irmon,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sch
dule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,
ploadmgr,W32
1620 svchost.exe Svcs: Dnscache
1656 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
552 spoolsv.exe Svcs: Spooler
1336 ati2evxx.exe Svcs: Ati HotKey Poller
136 HPConfig.exe Svcs: HPConfig
204 explorer.exe Title: Program Manager
264 RadioSvr.exe Svcs: RadioSvr
564 HpRfDev.exe Svcs: HpRfDev
1304 msiexec.exe Svcs: MSIServer
768 carpserv.exe
1528 hptasks.exe Title: HP display
1988 SynTPLpr.exe Title: Touchpad driver helper window
640 SynTPEnh.exe Title: Touchpad driver tray icon window
1520 ONETOUCH.EXE Title: OnScreen Display Window
1196 hpsysdrv.exe Title: HPSYSDRV
1948 HpSrvUI.exe Title: _HPSilentMessageWnd_
148 Navapw32.exe Title: Norton AntiVirus
2032 ACMonitor_X83.exACMonitor_X83Title: ACMonitor_X83
800 AcBtnMgr_X83.exeAcBtnMgr_X83Title: AcBtnMgr_X83
568 qttask.exe Title: QTPlayer Tray Icon
1888 realsched.exe Title: Notification Wnd for RNAdmin
952 PSFree.exe Title:
1940 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter
3924 iexplore.exe Title: SWI Forums -> Replying in about:blank/search virus - Microsoft Internet Explorer
1900 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2136 ntvdm.exe
3644 wuauclt.exe Title: Auto Update Client Window
2216 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}]
@="myBar BHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


*ACLs list for *.* in 'junk' folder: (if exist)

Error: Cannot open file [C:\junk\*.*]
*Contents of file(s) in 'junk' folder:

Sat May 22 15:04:54 2004 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 05:58 PM

Ok, now we can proceed with the actual fix:

Run reglite:

Paste the same key to the address bar,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-DoubleClick "AppInit_DLLs" value on the right pane,
and clear the data value:
C:\WINDOWS\System32\LOGC.DLL -< delete this line ,
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Open the subfolder "Tools" inside Find-All folder.
DoubleClick (once) on the "Xfix.bat" file inside.
Nothing would appear to happen but it should
create a folder (junk) in your root drive,
&restore/clean registry keys.

Navigate to System32, find: LOGC.DLL, hilite
and use the folder's top menu
option : "edit-> move to folder..."
Browse to and select: C:\junk folder.
'ok' it.
Re-run Find-All.bat and post fresh output!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 aaroneasley

aaroneasley

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 22 May 2004 - 06:37 PM

thanks again, here's the log

--==***@@@ 'FIND-ALL' VERSION 6.1 -5/21 @@@***==--


Sat May 22 18:36:51 2004 -- Results:
*System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HPNOTEBOOK" (8000:91D4) - FS:NTFS clusters:4k
Total: 39 983 083 520 [37G] - Free: 20 584 185 856 [19G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q312461"=""


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
6:36pm up 0 days, 0:08

*Locked or 'Suspect' file(s) found...
* result\\?\C:\junk\LOGC.DLL


*Tasks (services):
0 System Process
4 System
744 smss.exe
796 csrss.exe Title:
820 winlogon.exe Title: NetDDE Agent
864 services.exe Svcs: Eventlog,PlugPlay
876 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
1064 svchost.exe Svcs: RpcSs
1216 svchost.exe Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,Irmon,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sch
dule,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,
ploadmgr,W32
1492 svchost.exe Svcs: Dnscache
1548 svchost.exe Svcs: LmHosts,SSDPSRV,WebClient
1672 explorer.exe Title: Program Manager
1892 spoolsv.exe Svcs: Spooler
124 carpserv.exe
164 hptasks.exe Title: HP display
176 SynTPLpr.exe Title: Touchpad driver helper window
184 SynTPEnh.exe Title: Touchpad driver tray icon window
200 ONETOUCH.EXE Title: OnScreen Display Window
212 hpsysdrv.exe Title: HPSYSDRV
240 HpSrvUI.exe Title: _HPSilentMessageWnd_
268 Navapw32.exe Title: Norton AntiVirus
320 ACMonitor_X83.exACMonitor_X83Title: ACMonitor_X83
332 AcBtnMgr_X83.exeAcBtnMgr_X83Title: AcBtnMgr_X83
364 ati2evxx.exe Svcs: Ati HotKey Poller
424 HPConfig.exe Svcs: HPConfig
452 realsched.exe Title: Notification Wnd for RNAdmin
540 RadioSvr.exe Svcs: RadioSvr
556 PSFree.exe Title:
652 HpRfDev.exe Svcs: HpRfDev
1384 LUCOMS~1.EXE Title: OleMainThreadWndName
1716 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter
2340 iexplore.exe Title: SWI Forums -> about:blank/search virus - Microsoft Internet Explorer
2780 aim.exe Title: aaron50lbs' Buddy List Window
3408 wuauclt.exe Title: Auto Update Client Window
1056 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2172 ntvdm.exe
2596 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}]
@="myBar BHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D0BDCE0-2779-4FEC-B389-74E2D4CDB56A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{525A513E-62C5-4F0A-810F-FD6F46D947D7}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access HEWLETT-MY4V2YB\Owner
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access HEWLETT-MY4V2YB\Owner


*ACLs list for *.* in 'junk' folder: (if exist)

*Contents of file(s) in 'junk' folder:
logc.dll

Sat May 22 18:36:54 2004 -- *Find-All 'Windows'.hiv list:
A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\winBackup.hiv
A C:\DOCUME~2\Owner\Desktop\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv


#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 07:23 PM

Great progress!

Final steps:

In the 'Find-All'\Tools Subfolder, DoubleClick on "Zapcacls.bat" file!
File should be *free now!
You should find "junk.zip" created in the folder.
Sumbit it on my page (Find-All page) by
clicking on the 'files for submissions' link.
It will open your email client, navigate and add it
as attachment! Thanks ;)

Lastly, delete:
-"junk" folder from C:.
- 'Find-All' folder(s) no longer needed ;)
- Backup file created in your root drive C:
(FindallwinBackup.hiv, 8kb)

Use the following tools to clean all the remains:
CWShredder, have it fix all it finds!
http://www.spywarein.../CWShredder.exe

Download, install and run: Ad-Aware6:
http://www.lavasoftu...ftware/adaware/
update before the scan, select 'customise'
options, select your drive, scan and fix
all found problems.

Good luck :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 aaroneasley

aaroneasley

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 23 May 2004 - 01:04 AM

thanks so much! Everything seems to be running fine now, and hopefully it will still that way. I certainly owe you!

Aaron




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button