• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
ShellsPC

About:blank Will Not Go Away

61 posts in this topic

This has been going on for a month, please help.

 

I have tried everything and can't seem to kill this darn thing. If anyone knows a way to kill this I would love to know what it is.

 

I run CWshredder, Adaware, spybot, spyware blaster, hijackthis several times a day. Today I had a new twist, when I opened up my browser instead of about:blank it was set to msn.com. I can attach any logs if needed.

 

I have read and tried quite a few fixes for this problem with no real success. CWshredder and Adaware find items hourly. This is enough to make a person insane. I hate spyware.

 

I appreciate any help you can give me. Thanks.

Share this post


Link to post
Share on other sites

I just spent the last two hours with my system administrator trying to get back into my computer. I was reading someone else's post and attemted to startup in safemode via changing msconfig, upon restarting when asking for a password mine would not work, nor would my administrators work. We had assumed that it was looking for the one given to the computer when purchased? Since we did not know what it was we went through all kinds of hoops attempting to break back into the computer since not it was stuck in safemode. A thousand processes later I still find myself with the same darn problem of about:blank.

 

I need a vacation.

Share this post


Link to post
Share on other sites

Here is an updated copy of my hijackthis log. I see some new items, but no matter how many times you "fix" them others crop up within 30 minutes or so.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:50:18 AM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc

O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

Share this post


Link to post
Share on other sites

post a hijackthis log without fixing anything first. Need to see it with the infections showing.

Share this post


Link to post
Share on other sites

Here is another one that I just ran, looks like additional items are starting to jump on board.

 

Logfile of HijackThis v1.97.7

Scan saved at 1:53:05 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE} - C:\WINDOWS\System32\hje.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc

O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

Share this post


Link to post
Share on other sites

Here you go:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Tue 05/25/2004

02:36 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (B013:FA76) - FS:NTFS clusters:4k

Total: 39 958 409 216 [37G] - Free: 29 197 594 624 [27G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

2:36pm up 0 days, 3:22

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

30042 568 norm _Shell_TrayWnd

2b029e 568 norm SysFader

10028 660 high NetDDE Agent

16010a 3968 norm C:\WINDOWS\System32\cmd.exe

3001c0 568 norm dllfix

170206 3084 norm ScreenPrint32 v3.0

200256 3084 norm ScreenPrint32 v3.5

25014a 3624 norm MCI command handling window

1d0118 3624 norm DDE Server Window

2e01e4 3084 norm _DAXParkingWindow

60130 568 norm MCI command handling window

100de 568 norm Connections Tray

100d0 568 norm Power Meter

100ce 568 norm MS_WebcheckMonitor

300a2 1208 norm HkWndName

4003e 1000 norm Symantec AntiVirus Corporate Edition

2005c 1652 norm Scan

2005e 1652 norm ACTION

20060 1652 norm VPIPCLINK

40066 1568 norm Dell OMCI Iap

11026a 568 norm SysFader

1500fe 3624 norm SysFader

3300f0 3624 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer

10088 568 norm Program Manager

30048 568 norm M

30046 568 norm Default IME

1e0288 568 norm M

120254 568 norm Default IME

a0178 3084 norm M

11027e 3084 norm Default IME

19015a 3624 norm Default IME

50132 568 norm Default IME

100d2 568 norm Default IME

100ac 1208 norm Default IME

1009e 1000 norm Default IME

10068 1568 norm Default IME

290116 3624 norm M

26012e 3624 norm Default IME

1009c 568 norm M

30058 568 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

Ok double click the start.bat again.

Select option 2 then the option to let if find it. It will run for a minute. Than reboot. Please let it reboot. A second bat will run on bootup. Let it run and scan. After its all done a log will open in notepad. Please paste the contents of the log here please.

Share this post


Link to post
Share on other sites

Here is the log from start.bat:

 

Windows XP Detected

Running from Z:\

Scanning for bad files in system32 1st pass

File was not found on first Pass.

 

Scanning for bad files in system32 2nd pass

A file could not be found.

 

Here is a directory listing to post.

 

 

---------- DIR.TXT

04/30/2004 12:56 PM 3,572 cppna.dll

04/30/2004 10:42 AM 3,572 chiif.dll

04/30/2004 08:16 AM 3,573 jjapaa.dll

04/29/2004 03:42 PM 3,572 bebhnkb.dll

04/13/2004 03:00 PM 3,572 bikbhj.dll

04/09/2004 04:53 PM 6,656 spmsg.dll

03/29/2004 09:48 PM 667,648 lsasrv.dll

03/29/2004 09:48 PM 257,536 gdi32.dll

03/29/2004 09:48 PM 439,808 ipnathlp.dll

03/29/2004 09:48 PM 548,352 rtcdll.dll

03/29/2004 09:48 PM 36,864 mf3216.dll

03/29/2004 09:48 PM 136,704 schannel.dll

03/29/2004 09:48 PM 593,408 h323msp.dll

03/29/2004 09:48 PM 306,176 netapi32.dll

03/29/2004 09:48 PM 971,264 msgina.dll

03/29/2004 09:48 PM 51,712 msasn1.dll

03/16/2004 02:44 PM 30,749 vbajet32.dll

03/16/2004 02:44 PM 1,507,356 msjet40.dll

03/16/2004 01:38 PM 614,431 mswstr10.dll

03/16/2004 01:38 PM 151,583 msjint40.dll

03/10/2004 01:59 PM 593,408 xpsp2res.dll

03/05/2004 10:16 PM 535,552 rpcrt4.dll

03/05/2004 10:16 PM 263,680 rpcss.dll

03/05/2004 10:16 PM 1,194,496 comsvcs.dll

03/05/2004 10:16 PM 499,712 clbcatq.dll

03/05/2004 10:16 PM 977,920 msdtctm.dll

03/05/2004 10:16 PM 1,183,744 ole32.dll

03/05/2004 10:16 PM 226,816 es.dll

03/05/2004 10:16 PM 150,528 msdtcuiu.dll

03/05/2004 10:16 PM 225,280 catsrv.dll

03/05/2004 10:16 PM 594,944 catsrvut.dll

03/05/2004 10:16 PM 64,512 colbact.dll

03/05/2004 10:16 PM 110,080 clbcatex.dll

03/05/2004 10:16 PM 367,616 msdtcprx.dll

03/05/2004 10:16 PM 97,280 txflog.dll

03/05/2004 10:16 PM 82,432 mtxoci.dll

03/05/2004 10:16 PM 499,200 comuid.dll

03/05/2004 10:16 PM 64,512 mtxclu.dll

03/02/2004 01:18 PM 593,408 INETCOMM.DLL

03/01/2004 02:55 PM 348,189 msxbde40.dll

03/01/2004 02:55 PM 258,077 mstext40.dll

03/01/2004 02:55 PM 552,989 msrepl40.dll

03/01/2004 02:55 PM 348,189 mspbde40.dll

03/01/2004 02:55 PM 241,693 msjtes40.dll

03/01/2004 02:55 PM 319,517 msexcl40.dll

03/01/2004 02:55 PM 512,029 msexch40.dll

03/01/2004 02:52 PM 358,976 msjetoledb40.dll

02/06/2004 06:05 PM 588,288 WININET.DLL

01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL

01/21/2004 04:20 PM 484,352 URLMON.DLL

01/21/2004 04:19 PM 2,795,520 MSHTML.DLL

01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL

01/21/2004 03:18 PM 395,264 SHLWAPI.DLL

01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll

01/10/2004 07:37 AM 380,957 expsrv.dll

01/10/2004 07:36 AM 831,519 mswdat10.dll

01/10/2004 07:36 AM 315,423 msrd3x40.dll

01/10/2004 07:36 AM 421,919 msrd2x40.dll

01/10/2004 07:36 AM 213,023 msltus40.dll

01/10/2004 07:36 AM 53,279 msjter40.dll

Windows XP Detected

Running from Z:\

Scanning for bad files in system32 1st pass

File was not found on first Pass.

 

Scanning for bad files in system32 2nd pass

A file could not be found.

 

Here is a directory listing to post.

 

 

---------- DIR.TXT

04/30/2004 12:56 PM 3,572 cppna.dll

04/30/2004 10:42 AM 3,572 chiif.dll

04/30/2004 08:16 AM 3,573 jjapaa.dll

04/29/2004 03:42 PM 3,572 bebhnkb.dll

04/13/2004 03:00 PM 3,572 bikbhj.dll

04/09/2004 04:53 PM 6,656 spmsg.dll

03/29/2004 09:48 PM 667,648 lsasrv.dll

03/29/2004 09:48 PM 257,536 gdi32.dll

03/29/2004 09:48 PM 439,808 ipnathlp.dll

03/29/2004 09:48 PM 548,352 rtcdll.dll

03/29/2004 09:48 PM 36,864 mf3216.dll

03/29/2004 09:48 PM 136,704 schannel.dll

03/29/2004 09:48 PM 593,408 h323msp.dll

03/29/2004 09:48 PM 306,176 netapi32.dll

03/29/2004 09:48 PM 971,264 msgina.dll

03/29/2004 09:48 PM 51,712 msasn1.dll

03/16/2004 02:44 PM 30,749 vbajet32.dll

03/16/2004 02:44 PM 1,507,356 msjet40.dll

03/16/2004 01:38 PM 614,431 mswstr10.dll

03/16/2004 01:38 PM 151,583 msjint40.dll

03/10/2004 01:59 PM 593,408 xpsp2res.dll

03/05/2004 10:16 PM 535,552 rpcrt4.dll

03/05/2004 10:16 PM 263,680 rpcss.dll

03/05/2004 10:16 PM 1,194,496 comsvcs.dll

03/05/2004 10:16 PM 499,712 clbcatq.dll

03/05/2004 10:16 PM 977,920 msdtctm.dll

03/05/2004 10:16 PM 1,183,744 ole32.dll

03/05/2004 10:16 PM 226,816 es.dll

03/05/2004 10:16 PM 150,528 msdtcuiu.dll

03/05/2004 10:16 PM 225,280 catsrv.dll

03/05/2004 10:16 PM 594,944 catsrvut.dll

03/05/2004 10:16 PM 64,512 colbact.dll

03/05/2004 10:16 PM 110,080 clbcatex.dll

03/05/2004 10:16 PM 367,616 msdtcprx.dll

03/05/2004 10:16 PM 97,280 txflog.dll

03/05/2004 10:16 PM 82,432 mtxoci.dll

03/05/2004 10:16 PM 499,200 comuid.dll

03/05/2004 10:16 PM 64,512 mtxclu.dll

03/02/2004 01:18 PM 593,408 INETCOMM.DLL

03/01/2004 02:55 PM 348,189 msxbde40.dll

03/01/2004 02:55 PM 258,077 mstext40.dll

03/01/2004 02:55 PM 552,989 msrepl40.dll

03/01/2004 02:55 PM 348,189 mspbde40.dll

03/01/2004 02:55 PM 241,693 msjtes40.dll

03/01/2004 02:55 PM 319,517 msexcl40.dll

03/01/2004 02:55 PM 512,029 msexch40.dll

03/01/2004 02:52 PM 358,976 msjetoledb40.dll

02/06/2004 06:05 PM 588,288 WININET.DLL

01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL

01/21/2004 04:20 PM 484,352 URLMON.DLL

01/21/2004 04:19 PM 2,795,520 MSHTML.DLL

01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL

01/21/2004 03:18 PM 395,264 SHLWAPI.DLL

01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll

01/10/2004 07:37 AM 380,957 expsrv.dll

01/10/2004 07:36 AM 831,519 mswdat10.dll

01/10/2004 07:36 AM 315,423 msrd3x40.dll

01/10/2004 07:36 AM 421,919 msrd2x40.dll

01/10/2004 07:36 AM 213,023 msltus40.dll

01/10/2004 07:36 AM 53,279 msjter40.dll

05/25/2004 01:49 PM 31,232 hje.dll

04/30/2004 12:56 PM 3,572 cppna.dll

04/30/2004 10:42 AM 3,572 chiif.dll

04/30/2004 08:16 AM 3,573 jjapaa.dll

04/29/2004 03:42 PM 3,572 bebhnkb.dll

04/13/2004 03:00 PM 3,572 bikbhj.dll

04/09/2004 04:53 PM 6,656 spmsg.dll

03/10/2004 01:59 PM 593,408 xpsp2res.dll

03/02/2004 01:18 PM 593,408 INETCOMM.DLL

01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll

Share this post


Link to post
Share on other sites

HMM.. that didnt run like it was supposed too.. you did run the start.bat and it rebooted correct?

Share this post


Link to post
Share on other sites

yeah but the whole first part of the log is missing for some reason.. Post a new find all option please.

Share this post


Link to post
Share on other sites

By the way, I have just re-installed all of the security updates for Windows XP. They were lost when my administrator had to reload Windows this morning so that we could get back into my computer. Just thought that I would mention this just in case it will affect any of the logs.

Share this post


Link to post
Share on other sites

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Tue 05/25/2004

03:39 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (B013:FA76) - FS:NTFS clusters:4k

Total: 39 958 409 216 [37G] - Free: 28 135 448 576 [26G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

3:39pm up 0 days, 0:07

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

80036 964 norm _Shell_TrayWnd

10028 660 high NetDDE Agent

101c2 356 norm C:\WINDOWS\System32\cmd.exe

50188 964 norm MCI command handling window

30160 304 norm MCI command handling window

1015c 304 norm DDE Server Window

100de 964 norm Connections Tray

200ae 964 norm Power Meter

200ac 964 norm MS_WebcheckMonitor

100b0 1252 norm HkWndName

100a2 1276 norm Symantec AntiVirus Corporate Edition

10070 1684 norm Scan

1006c 1684 norm ACTION

1006a 1684 norm VPIPCLINK

40066 1604 norm Dell OMCI Iap

1013e 304 norm SysFader

100ee 304 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer

1008a 964 norm Program Manager

30038 964 norm M

3003a 964 norm Default IME

40194 964 norm Default IME

30182 304 norm Default IME

400a6 964 norm Default IME

100b2 1252 norm Default IME

100a4 1276 norm Default IME

10068 1604 norm Default IME

100f6 304 norm M

100f2 304 norm Default IME

1009e 964 norm M

30062 964 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

Also did you run this off a network drive? it should be run on a local drive like c:

Edited by shadowwar

Share this post


Link to post
Share on other sites

Here you go:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Tue 05/25/2004

03:39 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (B013:FA76) - FS:NTFS clusters:4k

Total: 39 958 409 216 [37G] - Free: 28 135 448 576 [26G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

3:39pm up 0 days, 0:07

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

80036 964 norm _Shell_TrayWnd

10028 660 high NetDDE Agent

101c2 356 norm C:\WINDOWS\System32\cmd.exe

50188 964 norm MCI command handling window

30160 304 norm MCI command handling window

1015c 304 norm DDE Server Window

100de 964 norm Connections Tray

200ae 964 norm Power Meter

200ac 964 norm MS_WebcheckMonitor

100b0 1252 norm HkWndName

100a2 1276 norm Symantec AntiVirus Corporate Edition

10070 1684 norm Scan

1006c 1684 norm ACTION

1006a 1684 norm VPIPCLINK

40066 1604 norm Dell OMCI Iap

1013e 304 norm SysFader

100ee 304 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer

1008a 964 norm Program Manager

30038 964 norm M

3003a 964 norm Default IME

40194 964 norm Default IME

30182 304 norm Default IME

400a6 964 norm Default IME

100b2 1252 norm Default IME

100a4 1276 norm Default IME

10068 1604 norm Default IME

100f6 304 norm M

100f2 304 norm Default IME

1009e 964 norm M

30062 964 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

I do not have adminstrative rights but I can call my administrator in my office at any time to log on if need be. He knows that I am attempting to get this problem fixed.

Share this post


Link to post
Share on other sites

ok.. you need to have admin rights so have him log in.

 

Run the dllfix while he is logged in from the c:\ drive and not a network drive.

option 2 and let if find again.

after it reboots have him log in again. It will finish. Than post that log again.

Share this post


Link to post
Share on other sites

Here is the log off of the c drive:

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 05/25/2004

04:06 PM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

Deleting temp value

 

The operation completed successfully

 

Running from C:\Documents and Settings\mgarcia.RMA\Desktop\dllfix

Scanning for bad files in system32 1st pass

File was not found on first Pass.

 

Scanning for bad files in system32 2nd pass

A file could not be found.

 

Here is a directory listing to post.

 

 

---------- DIR.TXT

04/30/2004 12:56 PM 3,572 cppna.dll

04/30/2004 10:42 AM 3,572 chiif.dll

04/30/2004 08:16 AM 3,573 jjapaa.dll

04/29/2004 03:42 PM 3,572 bebhnkb.dll

04/13/2004 03:00 PM 3,572 bikbhj.dll

04/09/2004 04:53 PM 6,656 spmsg.dll

03/29/2004 09:48 PM 667,648 lsasrv.dll

03/29/2004 09:48 PM 257,536 gdi32.dll

03/29/2004 09:48 PM 439,808 ipnathlp.dll

03/29/2004 09:48 PM 548,352 rtcdll.dll

03/29/2004 09:48 PM 36,864 mf3216.dll

03/29/2004 09:48 PM 136,704 schannel.dll

03/29/2004 09:48 PM 593,408 h323msp.dll

03/29/2004 09:48 PM 306,176 netapi32.dll

03/29/2004 09:48 PM 971,264 msgina.dll

03/29/2004 09:48 PM 51,712 msasn1.dll

03/16/2004 02:44 PM 30,749 vbajet32.dll

03/16/2004 02:44 PM 1,507,356 msjet40.dll

03/16/2004 01:38 PM 614,431 mswstr10.dll

03/16/2004 01:38 PM 151,583 msjint40.dll

03/10/2004 01:59 PM 593,408 xpsp2res.dll

03/05/2004 10:16 PM 535,552 rpcrt4.dll

03/05/2004 10:16 PM 263,680 rpcss.dll

03/05/2004 10:16 PM 1,194,496 comsvcs.dll

03/05/2004 10:16 PM 499,712 clbcatq.dll

03/05/2004 10:16 PM 977,920 msdtctm.dll

03/05/2004 10:16 PM 1,183,744 ole32.dll

03/05/2004 10:16 PM 226,816 es.dll

03/05/2004 10:16 PM 150,528 msdtcuiu.dll

03/05/2004 10:16 PM 225,280 catsrv.dll

03/05/2004 10:16 PM 594,944 catsrvut.dll

03/05/2004 10:16 PM 64,512 colbact.dll

03/05/2004 10:16 PM 110,080 clbcatex.dll

03/05/2004 10:16 PM 367,616 msdtcprx.dll

03/05/2004 10:16 PM 97,280 txflog.dll

03/05/2004 10:16 PM 82,432 mtxoci.dll

03/05/2004 10:16 PM 499,200 comuid.dll

03/05/2004 10:16 PM 64,512 mtxclu.dll

03/02/2004 01:18 PM 593,408 INETCOMM.DLL

03/01/2004 02:55 PM 348,189 msxbde40.dll

03/01/2004 02:55 PM 258,077 mstext40.dll

03/01/2004 02:55 PM 552,989 msrepl40.dll

03/01/2004 02:55 PM 348,189 mspbde40.dll

03/01/2004 02:55 PM 241,693 msjtes40.dll

03/01/2004 02:55 PM 319,517 msexcl40.dll

03/01/2004 02:55 PM 512,029 msexch40.dll

03/01/2004 02:52 PM 358,976 msjetoledb40.dll

02/06/2004 06:05 PM 588,288 WININET.DLL

01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL

01/21/2004 04:20 PM 484,352 URLMON.DLL

01/21/2004 04:19 PM 2,795,520 MSHTML.DLL

01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL

01/21/2004 03:18 PM 395,264 SHLWAPI.DLL

01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll

01/10/2004 07:37 AM 380,957 expsrv.dll

01/10/2004 07:36 AM 831,519 mswdat10.dll

01/10/2004 07:36 AM 315,423 msrd3x40.dll

01/10/2004 07:36 AM 421,919 msrd2x40.dll

01/10/2004 07:36 AM 213,023 msltus40.dll

01/10/2004 07:36 AM 53,279 msjter40.dll

05/25/2004 01:49 PM 31,232 hje.dll

04/30/2004 12:56 PM 3,572 cppna.dll

04/30/2004 10:42 AM 3,572 chiif.dll

04/30/2004 08:16 AM 3,573 jjapaa.dll

04/29/2004 03:42 PM 3,572 bebhnkb.dll

04/13/2004 03:00 PM 3,572 bikbhj.dll

04/09/2004 04:53 PM 6,656 spmsg.dll

03/29/2004 09:48 PM 971,264 msgina.dll

03/29/2004 09:48 PM 257,536 gdi32.dll

03/29/2004 09:48 PM 548,352 rtcdll.dll

03/29/2004 09:48 PM 136,704 schannel.dll

03/29/2004 09:48 PM 306,176 netapi32.dll

03/29/2004 09:48 PM 439,808 ipnathlp.dll

03/29/2004 09:48 PM 51,712 msasn1.dll

03/29/2004 09:48 PM 36,864 mf3216.dll

03/29/2004 09:48 PM 667,648 lsasrv.dll

03/29/2004 09:48 PM 593,408 h323msp.dll

03/16/2004 02:44 PM 30,749 vbajet32.dll

03/16/2004 02:44 PM 1,507,356 msjet40.dll

03/16/2004 01:38 PM 614,431 mswstr10.dll

03/16/2004 01:38 PM 151,583 msjint40.dll

03/10/2004 01:59 PM 593,408 xpsp2res.dll

03/05/2004 10:16 PM 226,816 es.dll

03/05/2004 10:16 PM 1,183,744 ole32.dll

03/05/2004 10:16 PM 535,552 rpcrt4.dll

03/05/2004 10:16 PM 1,194,496 comsvcs.dll

03/05/2004 10:16 PM 499,712 clbcatq.dll

03/05/2004 10:16 PM 977,920 msdtctm.dll

03/05/2004 10:16 PM 263,680 rpcss.dll

03/05/2004 10:16 PM 82,432 mtxoci.dll

03/05/2004 10:16 PM 64,512 mtxclu.dll

03/05/2004 10:16 PM 225,280 catsrv.dll

03/05/2004 10:16 PM 594,944 catsrvut.dll

03/05/2004 10:16 PM 150,528 msdtcuiu.dll

03/05/2004 10:16 PM 367,616 msdtcprx.dll

03/05/2004 10:16 PM 64,512 colbact.dll

03/05/2004 10:16 PM 110,080 clbcatex.dll

03/05/2004 10:16 PM 97,280 txflog.dll

03/05/2004 10:16 PM 499,200 comuid.dll

03/02/2004 01:18 PM 593,408 INETCOMM.DLL

03/01/2004 02:55 PM 348,189 msxbde40.dll

03/01/2004 02:55 PM 552,989 msrepl40.dll

03/01/2004 02:55 PM 258,077 mstext40.dll

03/01/2004 02:55 PM 348,189 mspbde40.dll

03/01/2004 02:55 PM 241,693 msjtes40.dll

03/01/2004 02:55 PM 319,517 msexcl40.dll

03/01/2004 02:55 PM 512,029 msexch40.dll

03/01/2004 02:52 PM 358,976 msjetoledb40.dll

01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL

01/21/2004 04:20 PM 484,352 URLMON.DLL

01/21/2004 04:19 PM 2,795,520 MSHTML.DLL

01/21/2004 04:16 PM 588,288 WININET.DLL

01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL

01/21/2004 03:18 PM 395,264 SHLWAPI.DLL

01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll

01/10/2004 07:37 AM 380,957 expsrv.dll

01/10/2004 07:36 AM 831,519 mswdat10.dll

01/10/2004 07:36 AM 315,423 msrd3x40.dll

01/10/2004 07:36 AM 421,919 msrd2x40.dll

01/10/2004 07:36 AM 213,023 msltus40.dll

01/10/2004 07:36 AM 53,279 msjter40.dll

Share this post


Link to post
Share on other sites

Shadowwar,

 

I am heading out for the day. I will be back in the AM and will check in. Thanks for all of your help. I sure hope we can kick this thing, it has driven me completly insane (not a far trip).

Share this post


Link to post
Share on other sites

Ok. one more request. Delete that whole dllfix folder and dllfix.exe. Download a fresh copy as i updated it last night so it should work better.

 

http://tools.zerosrealm.com/dllfix.exe

 

Post me 1 more findall from it after you download it.

 

Then have your admin run it once more. Option 2 then 2 again..

 

Post me the new logs.txt please.

Edited by shadowwar

Share this post


Link to post
Share on other sites

I accidently did this in reverse, I ran option 2 off of the c drive first, then I ran find all (off the network). Here is the log for find all:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Wed 05/26/2004

08:56 AM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (B013:FA76) - FS:NTFS clusters:4k

Total: 39 958 409 216 [37G] - Free: 28 128 755 712 [26G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

8:56am up 0 days, 0:04

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

4011a 1092 norm _Shell_TrayWnd

60064 660 high NetDDE Agent

400f6 1184 norm C:\WINDOWS\System32\cmd.exe

300b4 1092 norm MCI command handling window

300ce 1092 norm Connections Tray

200f4 1092 norm Power Meter

200fe 1092 norm MS_WebcheckMonitor

20088 1956 norm Symantec AntiVirus Corporate Edition

4003c 1248 norm HkWndName

1006c 1632 norm ACTION

1006e 1632 norm Scan

1006a 1632 norm VPIPCLINK

40066 1584 norm Dell OMCI Iap

40042 1092 norm Program Manager

40110 1092 norm M

70062 1092 norm Default IME

2013c 1092 norm Default IME

200f2 1092 norm Default IME

20078 1956 norm Default IME

40096 1248 norm Default IME

10068 1584 norm Default IME

2012c 1092 norm M

4012a 1092 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Here is the log for dll fix:

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Wed 05/26/2004

08:51 AM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

Deleting Filter text

Running from C:\Documents and Settings\mgarcia.RMA\My Documents\DLLFix\dllfix

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Scanning For main hijacker.

Found Main Hijacker Dll:C:\WINDOWS\System32\HJE.DLL

Md5 tested As 0758CF635DF08AC381962F74832B6484

MD5 Matched known Baddie

Deleting Hijacker Dll: C:\WINDOWS\System32\HJE.DLL

Succesfully Deleted

Scanning For main hijacker.

Scanning for Hidden Dll in system32 1st pass

File was not found on first Pass.

 

Scanning for Hidden Dll in system32 2nd pass

File found was: C:\WINDOWS\System32\MS.DLL

 

Md5 Check of C:\WINDOWS\System32\MS.DLL

 

Md5 tested As D41D8CD98F00B204E9800998ECF8427E

File was found but md5 didnt match

MD5 was: D41D8CD98F00B204E9800998ECF8427E

Resetting file attributes

Processing ACL of: <\\?\C:\WINDOWS\System32\MS.DLL>

 

SetACL finished successfully.

File was zipped for submission to Shadowwar

File is located at C:\Documents and Settings\mgarcia.RMA\My Documents\DLLFix\dllfix\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

Share this post


Link to post
Share on other sites

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Wed 05/26/2004

01:11 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (B013:FA76) - FS:NTFS clusters:4k

Total: 39 958 409 216 [37G] - Free: 27 839 582 208 [26G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

1:11pm up 0 days, 2:07

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

90150 3104 norm _Shell_TrayWnd

60086 660 high NetDDE Agent

1500c2 3936 norm C:\WINDOWS\System32\cmd.exe

c0256 1760 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer

a02a6 1760 norm MCI command handling window

60298 1760 norm DDE Server Window

a0324 2432 norm _DAXParkingWindow

11039a 2432 norm ScreenPrint32 v3.0

b02ce 2432 norm ScreenPrint32 v3.5

401fc 3092 norm AOM

301e4 2748 norm Search Results

60172 2748 norm Adobe Acrobat

401e6 2748 norm transport Window

301fa 2748 norm DDE Server Window

401fe 2748 norm Font Capture

c00a0 3104 norm MCI command handling window

130120 3104 norm Connections Tray

50084 3104 norm Power Meter

90072 3104 norm MS_WebcheckMonitor

600c0 3220 norm HkWndName

5003c 3168 norm Symantec AntiVirus Corporate Edition

1005e 1644 norm ACTION

10060 1644 norm Scan

1005c 1644 norm VPIPCLINK

10058 1584 norm Dell OMCI Iap

1302e2 3104 norm SysFader

8026c 1760 norm SysFader

70068 3104 norm Program Manager

a0148 3104 norm M

80114 3104 norm Default IME

90244 1760 norm M

60252 1760 norm Default IME

a020a 1760 norm Default IME

1043c 2432 norm M

80388 2432 norm Default IME

5016e 3092 norm Default IME

501d6 2748 norm M

402b2 2748 norm Default IME

d008a 3104 norm Default IME

b011e 3104 norm Default IME

50078 3220 norm Default IME

400e6 3168 norm Default IME

1005a 1584 norm Default IME

400e4 3104 norm M

500ea 3104 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB466326-13AF-424D-8ECE-7719FAF40CA7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

ok in the dllfix folder should be a windows.txt file. open it with notepad and it will look real funny. Paste it here please.

Share this post


Link to post
Share on other sites

regf Pugf hbin  ÿÿÿnk, €ùÕ0 CÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ € ÿÿÿÿ 0 6 i m WindowsowsÞ H6Þ Èþÿÿsk € € ” ì

!

€ ! #

€ # ?

?

?

Ðÿÿÿvk è ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 @ ¸ Ðÿÿÿvk €' zGDIProcessHandleQuota"þðÿÿÿ9 0 ?¸| àÿÿÿvk ` °ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk € =pswapdisk ¸ @ p ¨ Ðÿÿÿvk 0 R¿TransmissionRetryTimeoutÐÿÿÿvk €' i USERProcessHandleQuotai àÿÿÿ¸ @ p ¨ Ø ( Øÿÿÿvk 6 P °ºAppInit_DLLsecteÀÿÿÿc : \ w i n d o w s \ s y s t e m 3 2 \ m s . d l l p

Share this post


Link to post
Share on other sites

Ok lets try to attack this manually. Not sure why its being so stubborn.

 

copy the contents of the quote box to notepad:

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

 

hit file/save as

give it the name of clear.reg

 

Under the filename set file types to all types.

 

Save it to the desktop.

Close notepad.

Double click the clear.reg

when asked to merge say yes.

It should say sucessfully merged.

 

If it does Reboot.

When back into windows check and see if this file is visible:

 

C:\WINDOWS\System32\MS.DLL

 

Post back and let me know.

Share this post


Link to post
Share on other sites

Scan type: Realtime Protection Scan

Event: Virus Found!

Virus name: Download.Trojan

File: C:\WINDOWS\SYSTEM32\MS.DLL

Location: Quarantine

Computer: PC98003

User: SYSTEM

Action taken: Quarantine succeeded : Access denied

Date found: Wednesday, May 26, 2004 1:42:02 PM

Share this post


Link to post
Share on other sites

Well thats a good sign! Ok we need to put back the registry entry. Do the same thing but with this in the quote box.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

I know its in quartine but is there anyway you can send me a copy of that file?

 

After you do this please run dllfix again and give me another findall please.

Share this post


Link to post
Share on other sites

what antivirus is it? if its to much trouble dont worry about it. Lets just get you cleaned up.

 

After you are done with the new regmerge

 

Post the findall and a new hijackthis log please.

Share this post


Link to post
Share on other sites

Here is the findall:

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Wed 05/26/2004

02:22 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (B013:FA76) - FS:NTFS clusters:4k

Total: 39 958 409 216 [37G] - Free: 27 842 269 184 [26G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

*Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

2:22pm up 0 days, 0:05

Locked or 'Suspect' file(s) found...

 

 

*List of top level windows:

HWND PID PRIO TITLE

4002e 572 norm _Shell_TrayWnd

10028 660 high NetDDE Agent

2016e 428 norm C:\WINDOWS\System32\cmd.exe

5014a 572 norm MCI command handling window

200ae 572 norm Connections Tray

200bc 572 norm Power Meter

200dc 1192 norm HkWndName

200ac 1284 norm TrayIconHandler

100a4 1128 norm Symantec AntiVirus Corporate Edition

1006e 1632 norm Scan

1006c 1632 norm ACTION

4006a 1632 norm VPIPCLINK

10058 1576 norm Dell OMCI Iap

200be 572 norm MS_WebcheckMonitor

20080 572 norm Program Manager

30032 572 norm M

30030 572 norm Default IME

3015e 572 norm Default IME

200ba 572 norm Default IME

200da 1192 norm Default IME

200e2 1284 norm Default IME

100a6 1128 norm Default IME

1005a 1576 norm Default IME

1009e 572 norm M

30064 572 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB466326-13AF-424D-8ECE-7719FAF40CA7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-NI) ALLOW Full access RMA\mgarcia

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Full access RMA\mgarcia

 

 

Share this post


Link to post
Share on other sites

Here is the hijackthis:

Logfile of HijackThis v1.97.7

Scan saved at 2:25:25 PM, on 5/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE} - C:\WINDOWS\System32\hje.dll (file missing)

O2 - BHO: (no name) - {CB466326-13AF-424D-8ECE-7719FAF40CA7} - C:\WINDOWS\System32\mlkif.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8132.5077083333

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc

O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

Share this post


Link to post
Share on other sites

ok next two steps.. getting there.

 

load up regedit. Navigate here:

 

hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

 

Right click on the windows portion and hit permissions.

 

 

ALLOW Read BUILTIN\Users

ALLOW Read BUILTIN\Power Users

ALLOW Full access BUILTIN\Administrators

ALLOW Full access NT AUTHORITY\SYSTEM

ALLOW Full access CREATOR OWNER

 

You need to remove you from the list and make the list match the above.

 

That takes care of the main part.

 

Then do this:

 

Now download Ad-Aware at http://www.lavasoftusa.com/support/download/

After installing AAW, and before running the program, FIRST update the reference file following these instructions.

 

Now do the following:

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

 

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys. Click 'Next' again

Right-click in that pane and choose "select all"

 

If it finds "bad" files and registry keys, press "Next" again

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

 

Check any of these entries with hijackthis if still there:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE} - C:\WINDOWS\System32\hje.dll (file missing)

O2 - BHO: (no name) - {CB466326-13AF-424D-8ECE-7719FAF40CA7} - C:\WINDOWS\System32\mlkif.dll

 

 

post a new hijackthis log along with one more findall so we can make sure the registry is back to where it should be.

 

hope fully that should be it.

Edited by shadowwar

Share this post


Link to post
Share on other sites

Ok, I think that I have figured out the permissions thing. What will I lose if I delete my self from permissions?

Share this post


Link to post
Share on other sites

If I delete myself from permissions, will I be able to log back into the computer after I do the adaware thing?

Share this post


Link to post
Share on other sites

Well you werent there to begin with so you will lose nothing :) its cause we wiped the key totally that being you are logged into windows, it defaulted and added you to the list. IF you look on the earlier find alls you werent in the list.

Share this post


Link to post
Share on other sites

OK, I attempted to remove myself and it said:

 

Security

You cannot remove because this object is inheriting permissions from its parent. To remove you must prevent this object from inheriting permissions. Turn off the option for inheriting permissions, and then try removing again.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0