• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Pam

hlpce.dll

11 posts in this topic

I have a very sad machine - I have disconnected this machine from the internet as it is acquiring viruses faster than I can clean them off. I have followed the HijackThis instructions in the FAQ. I have run Adaware and Spybot multiple times, both in Safe mode and in Normal mode. Each time they find more things to quarantine, fix, etc.

 

There is one problem in particular that is driving me crazy. There is a file - c:\windows\system32\hlpce.dll. Norton Antivirus keeps popping a Notification that this is a Backdoor.Trojan. I can't delete it because it is in use. If I boot into safe mode, the file doesn't exist. Some process is creating it each time I boot!

 

A google search of 'hlpce' turns up nothing.

 

Hijack log is available. Looking for advice. I don't want to reformat and admit defeat!! :techsupport: Thanks in advance.

 

Pam

Share this post


Link to post
Share on other sites

There is one problem in particular that is

driving me crazy.  There is

a file - c:\windows\system32\hlpce.dll. 

Norton Antivirus keeps popping a Notification that this is a Backdoor.Trojan.  I can't delete it because it is in use. 

 

If I boot into safe mode, the file doesn't exist. 

Some process is creating it each time I boot!

 

Known issue!

See this, as example:

http://forums.spywareinfo.com/index.php?showtopic=18064&hl=

 

The file is indeed identified by Norton that *isolates*

it and at the same time locks access to it's removal!

 

Follow these steps in the exact order specified, or they

won't work properly!

 

1.)

Disable Norton's active protection

completely, and restart your computer!

Unless you do so, it'll interfere!

---------------------------------------------------------------

2.)

Download and install : "FINDnFIX.exe" from any of

the links in my signature.

You can skip the first log, and proceed:

----------------------------------------------------------------

3.)

*Get ready to restart your computer.

- Open the FINDnFIX\Keys1 <- Subfolder:

DoubleClick on the "FIX.bat" file.

-You will get a prompt preparing for auto-restart in 10 seconds.

-Let it restart!

-----------------------------------------------------------------

4.)

On restart, Go to Start/Search, and find:

"hlpce.dll" (in System32 folder; as it should be visible)

-When found, RightClick on the "hlpce.dll" file

And select -> Cut...

Immediately Goto and Open this Subfolder:

C:\FINDnFIX\junkxxx <-

RightClick inside it and select -> Paste

hit 'ok' when/if asked on 'read only' file move prompt.

*Be sure the file is now here: \junkxxx\hlpce.dll

--------------------------------------------------------------------------------

5.)

When done, Go back up one level to the main C:\FINDnFIX folder and

Run the -> "RESTORE.bat" file ,

It will run and generate a log (log2.txt)

Post it here, along with your hijackthis log!

=============================================

*Note:

Do not change/move around or

tamper with any of the file(s) folder(s) and path

included in the 'FINDnFIX' folder.

*You must be the prime account/Part of the 'Administrators' group to

perform the steps above!

Share this post


Link to post
Share on other sites

Thanks for the fast response! I'm glad it is a known problem. I followed your instructions. Here is the FindNFix log:

 

==============================================

 

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Tue 27 Jul 04 15:47:08

3:47pm up 0 days, 0:06

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/27)***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or

the right file was selected...

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(5)»»»»»

 

»»»»»(6)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

\\?\C:\FINDnFIX\junkxxx\HLPCE.222 +++ File read error

C:\FINDnFIX\junkxxx\HLPCE.222 +++ File read error

 

 

C:\FINDNFIX\JUNKXXX\

hlpce.222 Mon May 17 2004 7:24:08p A.... 57,344 56.00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57,344 bytes 56.00 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\HLPCE.222

 

fgrep: can't open input C:\FINDNFIX\JUNKXXX\HLPCE.222

 

A----- HLPCE .222 0000E000 19:24.08 17/05/2004

 

--a-- - - - - - 57,344 05-17-2004 hlpce.222

A C:\FINDnFIX\junkxxx\hlpce.222

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________C:\FINDnFIX\junkxxx\HLPCE.222 can't be opened.

 

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

 

 

File: <C:\FINDnFIX\junkxxx\hlpce.222>

 

 

 

 

#######################################################

*Known files are...

--------------------

File: ((56k; (57,344 bytes)

CRC16 : 3138

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

--------------------

File: ((35k; (35,840 bytes)

CRC16 : EEB1

CRC-32 : 33081C8B

MD5 : 1DE9A8E2 4C826006 7A479B09 577D9CAE

--------------------

File: ((21k; (21,504 bytes)

CRC16 : 90A5

CRC-32 : 2258F59E

MD5 : EFEE2CB3 B342A351 51802356 9637F8E6

#######################################################

»»Permissions:

C:\FINDnFIX\junkxxx\hlpce.222

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x JP-TOBIAS\User

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000013 tco- 001301BF ---- DS-- rw+x \Everyone

 

Owner: JP-TOBIAS\User

 

Primary Group: JP-TOBIAS\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x JP-TOBIAS\User

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Allow 00000013 tco- 001301BF ---- DS-- rw+x \Everyone

 

Owner: JP-TOBIAS\User

 

Primary Group: JP-TOBIAS\None

 

File "C:\FINDnFIX\junkxxx\hlpce.222"

Access is denied.

 

erreur dans ListAccessRights sur C:\FINDnFIX\junkxxx\hlpce.222

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: ?

00001190: vk UDeviceNo

000011D0:tSelectedTimeout 1 5 ( W vk ' z

00001210:GDIProcessHandleQuota" 9 0 ! vk X

00001250:Spooler2 y e s vk =pswapdisk

00001290: 8 h vk ( R TransmissionRetryTimeout

000012D0: vk ' S USERProcessHandleQuotar 8

00001310:h vk f AppInit_DLLs G

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- NEWWIN.TXT

fùAppInit_DLLsÖ?æG¸

--------------

--------------

$011C7: UDeviceNotSelectedTimeout

$0120F: zGDIProcessHandleQuota

$012B8: TransmissionRetryTimeout

$012E8: USERProcessHandleQuotar

$01338: AppInit_DLLs

--------------

--------------

No strings found.

 

 

d.... 0 Jul 27 15:39 .

d.... 0 Jul 27 15:39 ..

....a 57344 May 17 19:24 hlpce.222

 

3 files found occupying 55296 bytes

 

 

===============================================================================

57,344 bytes 955,733 cps

Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.06

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-27-:4 15:39|HLPCE 222 57344 A 05-17-:4 19:24

.. <dir> 07-27-:4 15:39|

---------------------------------------+---------------------------------------

3 files totaling 57344 bytes consuming 65024 bytes of disk space.

17299968 bytes available on Drive C: No volume label

 

...File dump...

 

 

Detecting...

 

C:\FINDnFIX\junkxxx

hlpce.222 ACL has 11 ACE(s)

SID = BUILTIN/Administrators S-1-5-32-544

ACE 0 is an ACCESS_ALLOWED_ACE_TYPE

ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 1 is an ACCESS_ALLOWED_ACE_TYPE

ACE 1 mask = 0x10000000

SID = NT AUTHORITY/SYSTEM S-1-5-18

ACE 2 is an ACCESS_ALLOWED_ACE_TYPE

ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = NT AUTHORITY/SYSTEM S-1-5-18

ACE 3 is an ACCESS_ALLOWED_ACE_TYPE

ACE 3 mask = 0x10000000

SID = JP-TOBIAS/User S-1-5-21-1606980848-789336058-1343024091-1003

ACE 4 is an ACCESS_ALLOWED_ACE_TYPE

ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = /CREATOR OWNER S-1-3-0

ACE 5 is an ACCESS_ALLOWED_ACE_TYPE

ACE 5 mask = 0x10000000

SID = BUILTIN/Users S-1-5-32-545

ACE 6 is an ACCESS_ALLOWED_ACE_TYPE

ACE 6 mask = 0x001200a9 -R -X

SID = BUILTIN/Users S-1-5-32-545

ACE 7 is an ACCESS_ALLOWED_ACE_TYPE

ACE 7 mask = 0xa0000000

SID = BUILTIN/Users S-1-5-32-545

ACE 8 is an ACCESS_ALLOWED_ACE_TYPE

ACE 8 mask = 0x00000004

SID = BUILTIN/Users S-1-5-32-545

ACE 9 is an ACCESS_ALLOWED_ACE_TYPE

ACE 9 mask = 0x00000002

SID = /Everyone S-1-1-0

ACE 10 is an ACCESS_ALLOWED_ACE_TYPE

ACE 10 mask = 0x001301bf -R -W -X -D

ACL done...

 

 

Finished Detecting...

 

==============================================

And here is the HijackThis log:

==============================================

Logfile of HijackThis v1.98.0

Scan saved at 3:54:36 PM, on 7/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

c:\sdwork\issimsvc.exe

C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\NVATray.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\RunDLL32.exe

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\System32\HPZinw12.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\User\Desktop\hjtlog.exe

c:\hijackthis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"

O4 - HKLM\..\Run: [iSSI EZUpdate Service] "c:\sdwork\issimsvc.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DNSRestore] "C:\PROGRA~1\AT&TNE~1\DNSRestore.exe" -R

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow

O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: Domain = ibm.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: Domain = ibm.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com

O17 - HKLM\System\CS2\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: NameServer = 192.168.1.1,9.53.159.2

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com

O17 - HKLM\System\CS3\Services\Tcpip\..\{5D980716-EDD1-4F8F-8C69-CDE7A83247D7}: Domain = ibm.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com,ibm.com

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 

 

Pam

Share this post


Link to post
Share on other sites

Well done! :D

Just one minor detail:

 

I do hope you disabled Norton, as the file still apear to be restricted...

 

Find this pest in it's current location as reported here:

 

*C:\FINDnFIX\junkxxx\HLPCE.222 +++ File read error

*File "C:\FINDnFIX\junkxxx\hlpce.222"

Access is denied.

 

RightClick and select the Security tab in properties, Check

the lower box

to allow 'propagated permissions from parent'.

Hit apply and 'ok'!

 

Lastly,

-Open the FINDnFIX\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will take less than a second, quickly clean the rest and

will create a zipped copy of the bad file(s) in the same

folder (named as-- junkxxx.zip) and open your email

client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

*Be sure your active AV email scan is disabled as well!

 

 

Find this logfile created in the same Subfolder-- (C:\FINDnFIX\Files2):

-> "FINAL.TXT" And post it!

Share this post


Link to post
Share on other sites

Thank you again for such a quick response. I have some follow up questions -

 

1 - I actually had to uninstall Norton as the corporate version I had would not allow me to disable real time file protection.

 

2 - Even though the file system in NTFS, and I am logged in as an administrator, I do not get a Security tab in the Properties window for any file I select. So I am unable to make the change to allow propogated permissions from the parent.

 

I haven't yet run zipzap.bat as I'm unsure if I should do so without being able to change the above setting. Please help! Thanks again!

Share this post


Link to post
Share on other sites

Ok! I followed all your instructions, and here is my FINAL.TXT. I have already sent the junkxxx.zip file as instructed. Thank you again for the excellent help!!

 

==============================================

 

Microsoft Windows XP [Version 5.1.2600]

Tue 27 Jul 04 21:12:07

 

........*FINAL.LOG(7/27)*.............

..Uninstalling bho (if exist)...

.. Deleting sp.html files (if present) ...

Could Not Find C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

Could Not Find C:\WINDOWS\temp\sp.html

File not found - C:\DOCUME~1\User\LOCALS~1\Temp\sp.html

File not found - C:\WINDOWS\Temp\sp.html

 

...Checking file version...

--a-- W32i - - - - 57,344 05-17-2004 hlpce.222

A C:\FINDnFIX\junkxxx\hlpce.222

 

...Resetting permissions on junkxxx folder and file

...Resetting attribs; renaming

A \\?\C:\FINDnFIX\junkxxx\hlpce.333

processed file: C:\FINDnFIX\junkxxx\hlpce.333

Cleaniing registry keys...

...checking permissions and attrib reset

processed file: C:\FINDnFIX\junkxxx\hlpce.333

 

Access F GRANTED TO TRUSTEE administrators on C:\FINDnFIX\junkxxx

C:\FINDnFIX\junkxxx\hlpce.333;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlpce.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlpce.333;Everyone:X

C:\FINDnFIX\junkxxx\hlpce.333;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlpce.333;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlpce.333;JP-TOBIAS\User:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\hlpce.333;BUILTIN\Users:RrRaRepX

C:\FINDnFIX\junkxxx\hlpce.333;Everyone:RrRaRepWwAWaWeXD

C:\FINDnFIX\junkxxx\hlpce.333 Everyone:F

BUILTIN\Administrators:F

Everyone:(special access:)

 

SYNCHRONIZE

FILE_EXECUTE

 

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

JP-TOBIAS\User:F

BUILTIN\Users:R

Everyone:C

 

...Deleting temp files...

Could Not Find C:\FINDnFIX\Files2\*.tmp

 

...Dumping key and security...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

 

...zipping files...

...Submitting file...

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : ""

0000 00 00 | ..

adding: FINDnFIX/junkxxx/hlpce.333 (272 bytes security) (deflated 3%)

adding: FINDnFIX/keyback.hiv (208 bytes security) (deflated 71%)

adding: FINDnFIX/newwin.hiv (208 bytes security) (deflated 94%)

adding: FINAL.TXT (208 bytes security) (deflated 66%)

zip warning: name not matched: output.txt

Share this post


Link to post
Share on other sites

Well done!

 

In hijackthis fix checked:

 

*R0 - HKCU\Software\Microsoft\Internet Explorer\

Toolbar,LinksFolderName =

*O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

*O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing

 

Search for and delete this pest:

WINDOWS\System32\ms.exe <(if exists)

 

Restart your computer, and delete the entire 'FINDnFIX' folder(s)

From C:\

 

For the remaining problems (if any), run any and all

removal tools once again as they should work properly now!

In particular,

Latest CWShredder.exe and fully updated Ad-Aware!

 

And you should be all set! ;)

Share this post


Link to post
Share on other sites

Thanks! It looks like all is well now. I've reinstalled Norton Antivirus so I'm protected once again. Unfortunately, when I install ZoneAlarm it locks up my machine. A problem for another day.

 

Thank you so much for your help. I really am Free At Last!! :-)

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0