Jump to content


Photo

hlpce.dll


  • This topic is locked This topic is locked
10 replies to this topic

#1 Pam

Pam

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 02:32 PM

I have a very sad machine - I have disconnected this machine from the internet as it is acquiring viruses faster than I can clean them off. I have followed the HijackThis instructions in the FAQ. I have run Adaware and Spybot multiple times, both in Safe mode and in Normal mode. Each time they find more things to quarantine, fix, etc.

There is one problem in particular that is driving me crazy. There is a file - c:\windows\system32\hlpce.dll. Norton Antivirus keeps popping a Notification that this is a Backdoor.Trojan. I can't delete it because it is in use. If I boot into safe mode, the file doesn't exist. Some process is creating it each time I boot!

A google search of 'hlpce' turns up nothing.

Hijack log is available. Looking for advice. I don't want to reformat and admit defeat!! :techsupport: Thanks in advance.

Pam

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 02:40 PM

There is one problem in particular that is
driving me crazy.  There is
a file - c:\windows\system32\hlpce.dll. 
Norton Antivirus keeps popping a Notification that this is a Backdoor.Trojan.  I can't delete it because it is in use. 

If I boot into safe mode, the file doesn't exist. 
Some process is creating it each time I boot!

Known issue!
See this, as example:
http://forums.spywar...topic=18064&hl=

The file is indeed identified by Norton that *isolates*
it and at the same time locks access to it's removal!

Follow these steps in the exact order specified, or they
won't work properly!

1.)
Disable Norton's active protection
completely, and restart your computer!
Unless you do so, it'll interfere!
---------------------------------------------------------------
2.)
Download and install : "FINDnFIX.exe" from any of
the links in my signature.
You can skip the first log, and proceed:
----------------------------------------------------------------
3.)
*Get ready to restart your computer.
- Open the FINDnFIX\Keys1 <- Subfolder:
DoubleClick on the "FIX.bat" file.
-You will get a prompt preparing for auto-restart in 10 seconds.
-Let it restart!
-----------------------------------------------------------------
4.)
On restart, Go to Start/Search, and find:
"hlpce.dll" (in System32 folder; as it should be visible)
-When found, RightClick on the "hlpce.dll" file
And select -> Cut...
Immediately Goto and Open this Subfolder:
C:\FINDnFIX\junkxxx <-
RightClick inside it and select -> Paste
hit 'ok' when/if asked on 'read only' file move prompt.
*Be sure the file is now here: \junkxxx\hlpce.dll
--------------------------------------------------------------------------------
5.)
When done, Go back up one level to the main C:\FINDnFIX folder and
Run the -> "RESTORE.bat" file ,
It will run and generate a log (log2.txt)
Post it here, along with your hijackthis log!
=============================================
*Note:
Do not change/move around or
tamper with any of the file(s) folder(s) and path
included in the 'FINDnFIX' folder.
*You must be the prime account/Part of the 'Administrators' group to
perform the steps above!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Pam

Pam

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 03:55 PM

Thanks for the fast response! I'm glad it is a known problem. I followed your instructions. Here is the FindNFix log:

==============================================

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

Tue 27 Jul 04 15:47:08
3:47pm up 0 days, 0:06

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/27)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»»

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»»»(5)»»»»»

»»»»»(6)»»»»»

»»»»»»» Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»»*»»» Scanning for moved file... »»»*»»»

\\?\C:\FINDnFIX\junkxxx\HLPCE.222 +++ File read error
C:\FINDnFIX\junkxxx\HLPCE.222 +++ File read error


C:\FINDNFIX\JUNKXXX\
hlpce.222 Mon May 17 2004 7:24:08p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\HLPCE.222

fgrep: can't open input C:\FINDNFIX\JUNKXXX\HLPCE.222

A----- HLPCE .222 0000E000 19:24.08 17/05/2004

--a-- - - - - - 57,344 05-17-2004 hlpce.222
A C:\FINDnFIX\junkxxx\hlpce.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________C:\FINDnFIX\junkxxx\HLPCE.222 can't be opened.


CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX


File: <C:\FINDnFIX\junkxxx\hlpce.222>




#######################################################
*Known files are...
--------------------
File: ((56k; (57,344 bytes)
CRC16 : 3138
CRC-32 : D5C9FB2E
MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
--------------------
File: ((35k; (35,840 bytes)
CRC16 : EEB1
CRC-32 : 33081C8B
MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE
--------------------
File: ((21k; (21,504 bytes)
CRC16 : 90A5
CRC-32 : 2258F59E
MD5 : EFEE2CB3 B342A351 51802356 9637F8E6
#######################################################
»»Permissions:
C:\FINDnFIX\junkxxx\hlpce.222
Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JP-TOBIAS\User
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000013 tco- 001301BF ---- DS-- rw+x \Everyone

Owner: JP-TOBIAS\User

Primary Group: JP-TOBIAS\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JP-TOBIAS\User
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000013 tco- 001301BF ---- DS-- rw+x \Everyone

Owner: JP-TOBIAS\User

Primary Group: JP-TOBIAS\None

File "C:\FINDnFIX\junkxxx\hlpce.222"
Access is denied.

erreur dans ListAccessRights sur C:\FINDnFIX\junkxxx\hlpce.222


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' S USERProcessHandleQuotar 8
00001310:h vk f AppInit_DLLs G
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
fùAppInit_DLLsÖ?æG¸
--------------
--------------
$011C7: UDeviceNotSelectedTimeout
$0120F: zGDIProcessHandleQuota
$012B8: TransmissionRetryTimeout
$012E8: USERProcessHandleQuotar
$01338: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Jul 27 15:39 .
d.... 0 Jul 27 15:39 ..
....a 57344 May 17 19:24 hlpce.222

3 files found occupying 55296 bytes


===============================================================================
57,344 bytes 955,733 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.06

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-27-:4 15:39|HLPCE 222 57344 A 05-17-:4 19:24
.. <dir> 07-27-:4 15:39|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...


Detecting...

C:\FINDnFIX\junkxxx
hlpce.222 ACL has 11 ACE(s)
SID = BUILTIN/Administrators S-1-5-32-544
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x10000000
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x10000000
SID = JP-TOBIAS/User S-1-5-21-1606980848-789336058-1343024091-1003
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = /CREATOR OWNER S-1-3-0
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x10000000
SID = BUILTIN/Users S-1-5-32-545
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001200a9 -R -X
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0xa0000000
SID = BUILTIN/Users S-1-5-32-545
ACE 8 is an ACCESS_ALLOWED_ACE_TYPE
ACE 8 mask = 0x00000004
SID = BUILTIN/Users S-1-5-32-545
ACE 9 is an ACCESS_ALLOWED_ACE_TYPE
ACE 9 mask = 0x00000002
SID = /Everyone S-1-1-0
ACE 10 is an ACCESS_ALLOWED_ACE_TYPE
ACE 10 mask = 0x001301bf -R -W -X -D
ACL done...


Finished Detecting... 

==============================================
And here is the HijackThis log:
==============================================
Logfile of HijackThis v1.98.0
Scan saved at 3:54:36 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\sdwork\issimsvc.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\HPZinw12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\hjtlog.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DNSRestore] "C:\PROGRA~1\AT&TNE~1\DNSRestore.exe" -R
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: Domain = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: NameServer = 192.168.1.1,9.53.159.2
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll


Pam

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 05:10 PM

Well done! :D
Just one minor detail:

I do hope you disabled Norton, as the file still apear to be restricted...

Find this pest in it's current location as reported here:

*C:\FINDnFIX\junkxxx\HLPCE.222 +++ File read error
*File "C:\FINDnFIX\junkxxx\hlpce.222"
Access is denied.


RightClick and select the Security tab in properties, Check
the lower box
to allow 'propagated permissions from parent'.
Hit apply and 'ok'!

Lastly,
-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will take less than a second, quickly clean the rest and
will create a zipped copy of the bad file(s) in the same
folder (named as-- junkxxx.zip) and open your email
client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!
*Be sure your active AV email scan is disabled as well!


Find this logfile created in the same Subfolder-- (C:\FINDnFIX\Files2):
-> "FINAL.TXT" And post it!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Pam

Pam

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 05:37 PM

Thank you again for such a quick response. I have some follow up questions -

1 - I actually had to uninstall Norton as the corporate version I had would not allow me to disable real time file protection.

2 - Even though the file system in NTFS, and I am logged in as an administrator, I do not get a Security tab in the Properties window for any file I select. So I am unable to make the change to allow propogated permissions from the parent.

I haven't yet run zipzap.bat as I'm unsure if I should do so without being able to change the above setting. Please help! Thanks again!

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 05:49 PM

This is likely the reason...

Posted Image HowTo To reveal the Missing Security Tab in Windows XP
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 Pam

Pam

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 09:25 PM

Ok! I followed all your instructions, and here is my FINAL.TXT. I have already sent the junkxxx.zip file as instructed. Thank you again for the excellent help!!

==============================================

Microsoft Windows XP [Version 5.1.2600]
Tue 27 Jul 04 21:12:07

........*FINAL.LOG(7/27)*.............
..Uninstalling bho (if exist)...
.. Deleting sp.html files (if present) ...
Could Not Find C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
Could Not Find C:\WINDOWS\temp\sp.html
File not found - C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
File not found - C:\WINDOWS\Temp\sp.html

...Checking file version...
--a-- W32i - - - - 57,344 05-17-2004 hlpce.222
A C:\FINDnFIX\junkxxx\hlpce.222

...Resetting permissions on junkxxx folder and file
...Resetting attribs; renaming
A \\?\C:\FINDnFIX\junkxxx\hlpce.333
processed file: C:\FINDnFIX\junkxxx\hlpce.333
Cleaniing registry keys...
...checking permissions and attrib reset
processed file: C:\FINDnFIX\junkxxx\hlpce.333

Access F GRANTED TO TRUSTEE administrators on C:\FINDnFIX\junkxxx
C:\FINDnFIX\junkxxx\hlpce.333;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlpce.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlpce.333;Everyone:X
C:\FINDnFIX\junkxxx\hlpce.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlpce.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlpce.333;JP-TOBIAS\User:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlpce.333;BUILTIN\Users:RrRaRepX[I]
C:\FINDnFIX\junkxxx\hlpce.333;Everyone:RrRaRepWwAWaWeXD[I]
C:\FINDnFIX\junkxxx\hlpce.333 Everyone:F
BUILTIN\Administrators:F
Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
JP-TOBIAS\User:F
BUILTIN\Users:R
Everyone:C

...Deleting temp files...
Could Not Find C:\FINDnFIX\Files2\*.tmp

...Dumping key and security...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER


...zipping files...
...Submitting file...

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : ""
0000 00 00 | ..
adding: FINDnFIX/junkxxx/hlpce.333 (272 bytes security) (deflated 3%)
adding: FINDnFIX/keyback.hiv (208 bytes security) (deflated 71%)
adding: FINDnFIX/newwin.hiv (208 bytes security) (deflated 94%)
adding: FINAL.TXT (208 bytes security) (deflated 66%)
zip warning: name not matched: output.txt

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 July 2004 - 09:52 AM

Well done!

In hijackthis fix checked:

*R0 - HKCU\Software\Microsoft\Internet Explorer\
Toolbar,LinksFolderName =
*O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
*O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing

Search for and delete this pest:
WINDOWS\System32\ms.exe <(if exists)

Restart your computer, and delete the entire 'FINDnFIX' folder(s)
From C:\

For the remaining problems (if any), run any and all
removal tools once again as they should work properly now!
In particular,
Latest CWShredder.exe and fully updated Ad-Aware!

And you should be all set! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 Pam

Pam

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 06:02 PM

Thanks! It looks like all is well now. I've reinstalled Norton Antivirus so I'm protected once again. Unfortunately, when I install ZoneAlarm it locks up my machine. A problem for another day.

Thank you so much for your help. I really am Free At Last!! :-)

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 28 July 2004 - 11:00 PM

:thumbsup:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 July 2004 - 03:33 PM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button