• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
judochop27

about:blank and popups

9 posts in this topic

My IE browser is constantly getting hijacked. I get taken to Coolwebsearch pages and get a lot of popups. My homepage changes to About:Blank all the time.

Running CWShredder and Ad-aware temporarily solve the problem, but running Internet Explorer for a bit always brings the problems back. Spybot S&D doesnt really find anything. When I try to update CWShredder, the attempt at the first site always fails, and the second one works.

 

Below is my log file from HijackThis

 

Logfile of HijackThis v1.97.7

Scan saved at 11:36:32 AM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\SERVICES.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\BHODemon\BHODemon.exe

C:\WINDOWS\System32\gearsec.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\HPHipm11.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jim\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gahe.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F1 - win.ini: load=C:\WINDOWS\SERVICES.EXE

F1 - win.ini: run=C:\WINDOWS\SERVICES.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll (file missing)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [avicap32] C:\WINDOWS\System32\avicap32.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

 

 

Any help is appreciated, thanks.

-jim

Share this post


Link to post
Share on other sites

You have a few problems there!

I suggest you restart in Safe mode and have hijackthis fix checked all the following:

F1 - win.ini: load=C:\WINDOWS\SERVICES.EXE

F1 - win.ini: run=C:\WINDOWS\SERVICES.EXE

O4 - HKLM\..\Run: [P2P Networking]

C:\WINDOWS\System32\P2P Networking\

P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\SERVICES.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

In Add/remove programs, uninstall: 'P2P Networking'

Then, delete:

C:\WINDOWS\System32\P2P Networking< folder

C:\WINDOWS\SERVICES.EXE< virus!

**Only from that location! (Don't confuse with 'services.exe'

in System32 which is legitimate file!)

 

Details:

http://www.sophos.com/virusinfo/analyses/trojlegmire.html

 

When done with the above, download and *UNzip:

http://freeatlast.100free.com/Find-All.zip

 

DoubleClick on the "Find-All.cmd" file,

follow instructions and post the log!

Edited by freeatlast

Share this post


Link to post
Share on other sites

I followed your directions, except there was not a C:\WINDOWS\System32\P2P Networking<folder

 

Here's the FIND-ALL log

thanks

 

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--

 

 

Tue May 25 02:19:53 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (4440:EAC2) - FS:NTFS clusters:4k

Total: 79 990 845 440 [74G] - Free: 40 534 151 168 [38G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;Q818529;Q813951;Q330994;Q822925;Q828750;Q832894;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"YPC 3.0.3"="Yahoo! Parental Controls"

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

 

 

»»PC uptime:

2:19am up 0 days, 0:07

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error

\\?\C:\WINDOWS\System32\CTL.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

572 SMSS.EXE

640 CSRSS.EXE Title:

664 WINLOGON.EXE Title: NetDDE Agent

728 SERVICES.EXE Svcs: Eventlog,PlugPlay

740 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

952 SVCHOST.EXE Svcs: RpcSs

1076 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,

eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload

gr,w32time,w

1292 SVCHOST.EXE Svcs: Dnscache

1356 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1500 SPOOLSV.EXE Svcs: Spooler

328 EXPLORER.EXE Title: Program Manager

488 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

500 DSentry.exe Title: DVDSentry

516 conmgr.exe Title: Connection Manager

544 Support.exe Title: Support

552 hpztsb05.exe Title:

564 hphmon04.exe Title: HP Photosmart Printer Series

608 hpgs2wnd.exe Title: HPGS2WND_WINDOW

764 Directcd.exe Title: DirectCD

340 ybrwicon.exe Title:

844 Navapw32.exe Title: Norton AntiVirus

1040 qttask.exe Title: QTPlayer Tray Icon

1048 iTunesHelper.exeiTunes HelperTitle: iTunes Helper

1092 CISVC.EXE Svcs: CiSvc

1096 realsched.exe Title: Notification Wnd for RNAdmin

1320 MSMSGS.EXE Title:

1384 aim.exe Title: Sign On

1440 NotifyAlert.exe Title: WindowsFormsParkingWindow

1596 ycommon.exe Title: OleMainThreadWndName

1608 hpgs2wnf.exe Title: OleMainThreadWndName

1740 DLG.exe Title: Digital Line Detection

1744 dcfssvc.exe Svcs: Dcfssvc

1904 BHODemon.exe Title: BHODemon

1944 gearsec.exe Svcs: GEARSecurity

176 Navapsvc.exe Svcs: navapsvc

248 nvsvc32.exe Svcs: NVSvc

2124 hphipm11.exe Svcs: Pml Driver HPH11

2160 iPodService.exe Svcs: iPodService

3408 wuauclt.exe Title: Auto Update Client Window

1940 Filzip.exe Title: Filzip

3152 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

3212 NTVDM.EXE

3504 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»ACLs list:

C:\junk BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

MARY\Jim:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA

 

 

ERROR: There are no more files.

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Tue May 25 02:19:58 2004 -- ++Find-All 'Windows'.hiv list:

A C:\DOCUME~1\Jim\Desktop\Find-All\winBackup.hiv

A C:\DOCUME~1\Jim\Desktop\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Ok.

 

Download the 'Find-All' again!

I just updated it to include something else.

 

You don't have to run the whole thing again, simply

-DoubleClick on the included "LastKey.reg" file,

hit 'yes on the prompt!

 

It should set your registry to open directly on this key:

*My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Go to Start/run/type:

regedit

The registry should open with the Windows Subfolder

hilited.

(*compare and be sure the path on the status

bar is same as indicated above!)

 

-RightClick on the Windows Subfolder,

And rename Windows as Windows1

 

-Locate "AppInit_DLLs" value on the right

pane, RightClick it and select 'delete'

 

-Select the Windows1 on the left pane

again and rename it back to it's

original name, Windows

 

-Use top regedit's menu view->refresh once

and be sure the "AppInit_DLLs"

value is 'officially' gone from the right pane.

 

-Close regedit, *restart computer!

 

--Navigate to System32 folder, Search

for System32\ CTL.DLL file, hilite

and use the folder's top menu

option : "Edit-> Move to folder..."

Browse to and select: C:\junk folder.

(It was created during first 'Find-All' run)

'ok' it.

 

--Re-run Find-All.cmd and post fresh output!

Share this post


Link to post
Share on other sites

Cool, i did everything, here's the Find-All output

 

 

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--

 

 

Tue May 25 11:42:31 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (4440:EAC2) - FS:NTFS clusters:4k

Total: 79 990 845 440 [74G] - Free: 40 500 158 464 [38G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;Q818529;Q813951;Q330994;Q822925;Q828750;Q832894;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"YPC 3.0.3"="Yahoo! Parental Controls"

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

 

 

»»PC uptime:

11:42am up 0 days, 0:13

 

»»Locked or 'Suspect' file(s) found...

* result\\?\C:\junk\CTL.DLL

 

 

»»Tasks (services):

0 System Process

4 System

572 SMSS.EXE

640 CSRSS.EXE Title:

664 WINLOGON.EXE Title: NetDDE Agent

708 SERVICES.EXE Svcs: Eventlog,PlugPlay

720 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

892 SVCHOST.EXE Svcs: RpcSs

1004 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi

ity,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,

eclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,upload

gr,w32time,w

1228 SVCHOST.EXE Svcs: Dnscache

1240 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1376 SPOOLSV.EXE Svcs: Spooler

164 EXPLORER.EXE Title: Program Manager

248 CISVC.EXE Svcs: CiSvc

292 dcfssvc.exe Svcs: Dcfssvc

316 gearsec.exe Svcs: GEARSecurity

348 Navapsvc.exe Svcs: navapsvc

416 nvsvc32.exe Svcs: NVSvc

1148 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

1152 DSentry.exe Title: DVDSentry

1140 conmgr.exe Title: Connection Manager

1180 Support.exe Title: Support

1192 hpztsb05.exe Title:

1208 hphmon04.exe Title: HP Photosmart Printer Series

1236 hpgs2wnd.exe Title: HPGS2WND_WINDOW

1304 Directcd.exe Title: DirectCD

1324 ybrwicon.exe Title:

1260 NotifyAlert.exe Title: WindowsFormsParkingWindow

1156 Navapw32.exe Title: Norton AntiVirus

1464 qttask.exe Title: QTPlayer Tray Icon

1472 iTunesHelper.exeiTunes HelperTitle: iTunes Helper

1484 realsched.exe Title: Notification Wnd for RNAdmin

1520 MSMSGS.EXE Title:

1528 aim.exe Title: Sign On

1588 ycommon.exe Title: OleMainThreadWndName

1716 hpgs2wnf.exe Title: OleMainThreadWndName

1744 DLG.exe Title: Digital Line Detection

1828 BHODemon.exe Title: BHODemon

960 iPodService.exe Svcs: iPodService

792 hphipm11.exe Svcs: Pml Driver HPH11

2728 wuauclt.exe Title: Auto Update Client Window

3744 CIDAEMON.EXE

3764 CIDAEMON.EXE Title: OleMainThreadWndName

4048 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

4076 NTVDM.EXE

2368 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access MARY\Jim

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access MARY\Jim

 

 

»»ACLs list:

C:\junk BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

MARY\Jim:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA

 

 

C:\junk\ctl.dll BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

MARY\Jim:F

BUILTIN\Users:R

 

 

»»Contents of file(s) in 'junk' folder:

ctl.dll

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

c185b36f9969d3a6d2122ba7cbc02249 ctl.dll

 

57344 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

File: <C:\junk\ctl.dll> Size-32 : 0000E000 CRC-32 : D5C9FB2E GHash-32-5 : 26115E2D GOST-Hash : 82A402D7 23ADEDC6 AB139C7E F70F4B77 1DB148B9 64596488 E89EDB26 3B623462 HAVAL-5-256 : D4B2FD10 ED750CA8 9094D67F C6885548 E5E25527 7E25E595 AAEF452A 3CD2FAB3 MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249 SHA-512 : 54ACD2EE 31007EAB 3DCB7655 5B804798 B765D5F7 7C6B7436 199BF16C 2ADD7C05 1DF1F36A 7CF786F7 1716A7C3 91BB6135 C8BECB6F 2DB242DA 5945C134 A7E3D9B9

Tue May 25 11:42:34 2004 -- ++Find-All 'Windows'.hiv list:

A C:\DOCUME~1\Jim\Desktop\Find-All\winBackup.hiv

A C:\DOCUME~1\Jim\Desktop\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Wonderful! ;)

 

Next,

Open the 'Find-All'\Tools Subfolder.

DoubleClick once on: "ZIPZAP.bat" file!

 

It will quickly/Silently do this:

*Restore your key &Security

back to defaults

*Reset permissions on the junk\*.dll moved file

*Create zipped copy in the same folder: "junk.zip"

*Open your email client with given address for submission!

 

--Drag the 'junk.zip' and submit the

attchchment to the specified address, ! , thanks ;)

 

When done, Delete the "junk.zip"

as well as the "junk" folder in

C:\

 

--Re-run Find-All.cmd and post fresh output!

Share this post


Link to post
Share on other sites

Ok, did that. Here's the output

 

--==***@@@ 'FIND-ALL' VERSION 7.5 -5/26 @@@***==--

 

 

Tue May 25 18:00:40 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (4440:EAC2) - FS:NTFS clusters:4k

Total: 79 990 845 440 [74G] - Free: 40 488 202 240 [38G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;Q818529;Q813951;Q330994;Q822925;Q828750;Q832894;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"YPC 3.0.3"="Yahoo! Parental Controls"

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

 

 

»»PC uptime:

6:00pm up 0 days, 0:13

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

4 System

576 SMSS.EXE

644 CSRSS.EXE Title:

668 WINLOGON.EXE Title: NetDDE Agent

712 SERVICES.EXE Svcs: Eventlog,PlugPlay

724 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

912 SVCHOST.EXE Svcs: RpcSs

1012 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,

elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Schedule,seclo

on,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w

2time,winmgm

1232 SVCHOST.EXE Svcs: Dnscache

1296 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

1412 SPOOLSV.EXE Svcs: Spooler

1968 CISVC.EXE Svcs: CiSvc

1984 dcfssvc.exe Svcs: Dcfssvc

2008 gearsec.exe Svcs: GEARSecurity

2044 Navapsvc.exe Svcs: navapsvc

164 nvsvc32.exe Svcs: NVSvc

1268 EXPLORER.EXE Title: Program Manager

1552 BCMSMMSG.exe Title: BCM V.92 56K Modem Monitor

1564 DSentry.exe Title: DVDSentry

1572 conmgr.exe Title: Connection Manager

1604 hpztsb05.exe Title:

1612 hphmon04.exe Title: HP Photosmart Printer Series

1628 hpgs2wnd.exe Title: HPGS2WND_WINDOW

1636 Directcd.exe Title: DirectCD

1644 NotifyAlert.exe Title: WindowsFormsParkingWindow

1656 ybrwicon.exe Title:

1680 Navapw32.exe Title: Norton AntiVirus

1712 qttask.exe Title: QTPlayer Tray Icon

1720 iTunesHelper.exeiTunes HelperTitle: iTunes Helper

1740 realsched.exe Title: Notification Wnd for RNAdmin

1772 MSMSGS.EXE Title:

1788 ycommon.exe Title: OleMainThreadWndName

1800 aim.exe Title: Sign On

1804 hpgs2wnf.exe Title: OleMainThreadWndName

464 iPodService.exe Svcs: iPodService

648 DLG.exe Title: Digital Line Detection

728 BHODemon.exe Title: BHODemon

1624 hphipm11.exe Svcs: Pml Driver HPH11

2808 wuauclt.exe Title: Auto Update Client Window

3956 ybrowser.exe Title: SWI Forums -> about:blank and popups

2580 CIDAEMON.EXE

2368 CIDAEMON.EXE Title: OleMainThreadWndName

3064 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

3060 NTVDM.EXE

3624 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»ACLs list:

C:\junk BUILTIN\Administrators:F

BUILTIN\Administrators:(OI)(CI)(IO)F

NT AUTHORITY\SYSTEM:F

NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F

MARY\Jim:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:R

BUILTIN\Users:(OI)(CI)(IO)(special access:) GENERIC_READ

GENERIC_EXECUTE

 

BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA

 

 

ERROR: There are no more files.

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Tue May 25 18:00:44 2004 -- ++Find-All 'Windows'.hiv list:

A C:\DOCUME~1\Jim\Desktop\Find-All\winBackup.hiv

A C:\DOCUME~1\Jim\Desktop\Find-All\windows.txt

A C:\FindallwinBackup.hiv

Share this post


Link to post
Share on other sites

Perfect, you're all set! ;)

 

Rescan With Ad-Aware now, make sure to run full

system scan and apply latest updates first!

(reference file (01R310 23.05.2004) )

 

Then re-run Shredder.

Rest your preferred home page when done.

 

Good luck!

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0