Jump to content


Photo

About:blank Will Not Go Away


  • Please log in to reply
60 replies to this topic

#1 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 07:39 AM

This has been going on for a month, please help.

I have tried everything and can't seem to kill this darn thing. If anyone knows a way to kill this I would love to know what it is.

I run CWshredder, Adaware, spybot, spyware blaster, hijackthis several times a day. Today I had a new twist, when I opened up my browser instead of about:blank it was set to msn.com. I can attach any logs if needed.

I have read and tried quite a few fixes for this problem with no real success. CWshredder and Adaware find items hourly. This is enough to make a person insane. I hate spyware.

I appreciate any help you can give me. Thanks.

#2 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 10:14 AM

Bump

#3 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 10:19 AM

I just spent the last two hours with my system administrator trying to get back into my computer. I was reading someone else's post and attemted to startup in safemode via changing msconfig, upon restarting when asking for a password mine would not work, nor would my administrators work. We had assumed that it was looking for the one given to the computer when purchased? Since we did not know what it was we went through all kinds of hoops attempting to break back into the computer since not it was stuck in safemode. A thousand processes later I still find myself with the same darn problem of about:blank.

I need a vacation.

#4 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 11:09 AM

Here is an updated copy of my hijackthis log. I see some new items, but no matter how many times you "fix" them others crop up within 30 minutes or so.

Logfile of HijackThis v1.97.7
Scan saved at 11:50:18 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc
O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

#5 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 11:24 AM

post a hijackthis log without fixing anything first. Need to see it with the infections showing.



#6 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 12:47 PM

Shadowwar,

Is there another log that I can run for you in order to see where the problem is?

#7 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 12:49 PM

Here is another one that I just ran, looks like additional items are starting to jump on board.

Logfile of HijackThis v1.97.7
Scan saved at 1:53:05 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE} - C:\WINDOWS\System32\hje.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc
O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

#8 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 12:51 PM

I just opened up another browser window and sure enough, about:blank has taken over once again.

#9 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 01:27 PM

thats what i needed to see.

please download this:

http://tools.zerosrealm.com/dllfix.exe

Install it to the desktop.

open the dllfix folder and double click start.bat
select the option for a find all report and post it here.



#10 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 01:32 PM

Here you go:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/25/2004
02:36 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 29 197 594 624 [27G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
2:36pm up 0 days, 3:22
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
30042 568 norm _Shell_TrayWnd
2b029e 568 norm SysFader
10028 660 high NetDDE Agent
16010a 3968 norm C:\WINDOWS\System32\cmd.exe
3001c0 568 norm dllfix
170206 3084 norm ScreenPrint32 v3.0
200256 3084 norm ScreenPrint32 v3.5
25014a 3624 norm MCI command handling window
1d0118 3624 norm DDE Server Window
2e01e4 3084 norm _DAXParkingWindow
60130 568 norm MCI command handling window
100de 568 norm Connections Tray
100d0 568 norm Power Meter
100ce 568 norm MS_WebcheckMonitor
300a2 1208 norm HkWndName
4003e 1000 norm Symantec AntiVirus Corporate Edition
2005c 1652 norm Scan
2005e 1652 norm ACTION
20060 1652 norm VPIPCLINK
40066 1568 norm Dell OMCI Iap
11026a 568 norm SysFader
1500fe 3624 norm SysFader
3300f0 3624 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer
10088 568 norm Program Manager
30048 568 norm M
30046 568 norm Default IME
1e0288 568 norm M
120254 568 norm Default IME
a0178 3084 norm M
11027e 3084 norm Default IME
19015a 3624 norm Default IME
50132 568 norm Default IME
100d2 568 norm Default IME
100ac 1208 norm Default IME
1009e 1000 norm Default IME
10068 1568 norm Default IME
290116 3624 norm M
26012e 3624 norm Default IME
1009c 568 norm M
30058 568 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#11 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 02:00 PM

Ok double click the start.bat again.
Select option 2 then the option to let if find it. It will run for a minute. Than reboot. Please let it reboot. A second bat will run on bootup. Let it run and scan. After its all done a log will open in notepad. Please paste the contents of the log here please.



#12 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 02:05 PM

Here is the log from start.bat:

Windows XP Detected
Running from Z:\
Scanning for bad files in system32 1st pass
File was not found on first Pass.

Scanning for bad files in system32 2nd pass
A file could not be found.

Here is a directory listing to post.


---------- DIR.TXT
04/30/2004 12:56 PM 3,572 cppna.dll
04/30/2004 10:42 AM 3,572 chiif.dll
04/30/2004 08:16 AM 3,573 jjapaa.dll
04/29/2004 03:42 PM 3,572 bebhnkb.dll
04/13/2004 03:00 PM 3,572 bikbhj.dll
04/09/2004 04:53 PM 6,656 spmsg.dll
03/29/2004 09:48 PM 667,648 lsasrv.dll
03/29/2004 09:48 PM 257,536 gdi32.dll
03/29/2004 09:48 PM 439,808 ipnathlp.dll
03/29/2004 09:48 PM 548,352 rtcdll.dll
03/29/2004 09:48 PM 36,864 mf3216.dll
03/29/2004 09:48 PM 136,704 schannel.dll
03/29/2004 09:48 PM 593,408 h323msp.dll
03/29/2004 09:48 PM 306,176 netapi32.dll
03/29/2004 09:48 PM 971,264 msgina.dll
03/29/2004 09:48 PM 51,712 msasn1.dll
03/16/2004 02:44 PM 30,749 vbajet32.dll
03/16/2004 02:44 PM 1,507,356 msjet40.dll
03/16/2004 01:38 PM 614,431 mswstr10.dll
03/16/2004 01:38 PM 151,583 msjint40.dll
03/10/2004 01:59 PM 593,408 xpsp2res.dll
03/05/2004 10:16 PM 535,552 rpcrt4.dll
03/05/2004 10:16 PM 263,680 rpcss.dll
03/05/2004 10:16 PM 1,194,496 comsvcs.dll
03/05/2004 10:16 PM 499,712 clbcatq.dll
03/05/2004 10:16 PM 977,920 msdtctm.dll
03/05/2004 10:16 PM 1,183,744 ole32.dll
03/05/2004 10:16 PM 226,816 es.dll
03/05/2004 10:16 PM 150,528 msdtcuiu.dll
03/05/2004 10:16 PM 225,280 catsrv.dll
03/05/2004 10:16 PM 594,944 catsrvut.dll
03/05/2004 10:16 PM 64,512 colbact.dll
03/05/2004 10:16 PM 110,080 clbcatex.dll
03/05/2004 10:16 PM 367,616 msdtcprx.dll
03/05/2004 10:16 PM 97,280 txflog.dll
03/05/2004 10:16 PM 82,432 mtxoci.dll
03/05/2004 10:16 PM 499,200 comuid.dll
03/05/2004 10:16 PM 64,512 mtxclu.dll
03/02/2004 01:18 PM 593,408 INETCOMM.DLL
03/01/2004 02:55 PM 348,189 msxbde40.dll
03/01/2004 02:55 PM 258,077 mstext40.dll
03/01/2004 02:55 PM 552,989 msrepl40.dll
03/01/2004 02:55 PM 348,189 mspbde40.dll
03/01/2004 02:55 PM 241,693 msjtes40.dll
03/01/2004 02:55 PM 319,517 msexcl40.dll
03/01/2004 02:55 PM 512,029 msexch40.dll
03/01/2004 02:52 PM 358,976 msjetoledb40.dll
02/06/2004 06:05 PM 588,288 WININET.DLL
01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL
01/21/2004 04:20 PM 484,352 URLMON.DLL
01/21/2004 04:19 PM 2,795,520 MSHTML.DLL
01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL
01/21/2004 03:18 PM 395,264 SHLWAPI.DLL
01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll
01/10/2004 07:37 AM 380,957 expsrv.dll
01/10/2004 07:36 AM 831,519 mswdat10.dll
01/10/2004 07:36 AM 315,423 msrd3x40.dll
01/10/2004 07:36 AM 421,919 msrd2x40.dll
01/10/2004 07:36 AM 213,023 msltus40.dll
01/10/2004 07:36 AM 53,279 msjter40.dll
Windows XP Detected
Running from Z:\
Scanning for bad files in system32 1st pass
File was not found on first Pass.

Scanning for bad files in system32 2nd pass
A file could not be found.

Here is a directory listing to post.


---------- DIR.TXT
04/30/2004 12:56 PM 3,572 cppna.dll
04/30/2004 10:42 AM 3,572 chiif.dll
04/30/2004 08:16 AM 3,573 jjapaa.dll
04/29/2004 03:42 PM 3,572 bebhnkb.dll
04/13/2004 03:00 PM 3,572 bikbhj.dll
04/09/2004 04:53 PM 6,656 spmsg.dll
03/29/2004 09:48 PM 667,648 lsasrv.dll
03/29/2004 09:48 PM 257,536 gdi32.dll
03/29/2004 09:48 PM 439,808 ipnathlp.dll
03/29/2004 09:48 PM 548,352 rtcdll.dll
03/29/2004 09:48 PM 36,864 mf3216.dll
03/29/2004 09:48 PM 136,704 schannel.dll
03/29/2004 09:48 PM 593,408 h323msp.dll
03/29/2004 09:48 PM 306,176 netapi32.dll
03/29/2004 09:48 PM 971,264 msgina.dll
03/29/2004 09:48 PM 51,712 msasn1.dll
03/16/2004 02:44 PM 30,749 vbajet32.dll
03/16/2004 02:44 PM 1,507,356 msjet40.dll
03/16/2004 01:38 PM 614,431 mswstr10.dll
03/16/2004 01:38 PM 151,583 msjint40.dll
03/10/2004 01:59 PM 593,408 xpsp2res.dll
03/05/2004 10:16 PM 535,552 rpcrt4.dll
03/05/2004 10:16 PM 263,680 rpcss.dll
03/05/2004 10:16 PM 1,194,496 comsvcs.dll
03/05/2004 10:16 PM 499,712 clbcatq.dll
03/05/2004 10:16 PM 977,920 msdtctm.dll
03/05/2004 10:16 PM 1,183,744 ole32.dll
03/05/2004 10:16 PM 226,816 es.dll
03/05/2004 10:16 PM 150,528 msdtcuiu.dll
03/05/2004 10:16 PM 225,280 catsrv.dll
03/05/2004 10:16 PM 594,944 catsrvut.dll
03/05/2004 10:16 PM 64,512 colbact.dll
03/05/2004 10:16 PM 110,080 clbcatex.dll
03/05/2004 10:16 PM 367,616 msdtcprx.dll
03/05/2004 10:16 PM 97,280 txflog.dll
03/05/2004 10:16 PM 82,432 mtxoci.dll
03/05/2004 10:16 PM 499,200 comuid.dll
03/05/2004 10:16 PM 64,512 mtxclu.dll
03/02/2004 01:18 PM 593,408 INETCOMM.DLL
03/01/2004 02:55 PM 348,189 msxbde40.dll
03/01/2004 02:55 PM 258,077 mstext40.dll
03/01/2004 02:55 PM 552,989 msrepl40.dll
03/01/2004 02:55 PM 348,189 mspbde40.dll
03/01/2004 02:55 PM 241,693 msjtes40.dll
03/01/2004 02:55 PM 319,517 msexcl40.dll
03/01/2004 02:55 PM 512,029 msexch40.dll
03/01/2004 02:52 PM 358,976 msjetoledb40.dll
02/06/2004 06:05 PM 588,288 WININET.DLL
01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL
01/21/2004 04:20 PM 484,352 URLMON.DLL
01/21/2004 04:19 PM 2,795,520 MSHTML.DLL
01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL
01/21/2004 03:18 PM 395,264 SHLWAPI.DLL
01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll
01/10/2004 07:37 AM 380,957 expsrv.dll
01/10/2004 07:36 AM 831,519 mswdat10.dll
01/10/2004 07:36 AM 315,423 msrd3x40.dll
01/10/2004 07:36 AM 421,919 msrd2x40.dll
01/10/2004 07:36 AM 213,023 msltus40.dll
01/10/2004 07:36 AM 53,279 msjter40.dll
05/25/2004 01:49 PM 31,232 hje.dll
04/30/2004 12:56 PM 3,572 cppna.dll
04/30/2004 10:42 AM 3,572 chiif.dll
04/30/2004 08:16 AM 3,573 jjapaa.dll
04/29/2004 03:42 PM 3,572 bebhnkb.dll
04/13/2004 03:00 PM 3,572 bikbhj.dll
04/09/2004 04:53 PM 6,656 spmsg.dll
03/10/2004 01:59 PM 593,408 xpsp2res.dll
03/02/2004 01:18 PM 593,408 INETCOMM.DLL
01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll

#13 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 02:30 PM

HMM.. that didnt run like it was supposed too.. you did run the start.bat and it rebooted correct?



#14 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 02:31 PM

Yes, I ran start.bat and selected option 2, then selected option 2 again. Was that right?

#15 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 02:32 PM

yeah but the whole first part of the log is missing for some reason.. Post a new find all option please.



#16 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 02:33 PM

By the way, I have just re-installed all of the security updates for Windows XP. They were lost when my administrator had to reload Windows this morning so that we could get back into my computer. Just thought that I would mention this just in case it will affect any of the logs.

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 02:38 PM

ok its noted. Do you have admin rights?



#18 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 02:38 PM

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/25/2004
03:39 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 28 135 448 576 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
3:39pm up 0 days, 0:07
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
80036 964 norm _Shell_TrayWnd
10028 660 high NetDDE Agent
101c2 356 norm C:\WINDOWS\System32\cmd.exe
50188 964 norm MCI command handling window
30160 304 norm MCI command handling window
1015c 304 norm DDE Server Window
100de 964 norm Connections Tray
200ae 964 norm Power Meter
200ac 964 norm MS_WebcheckMonitor
100b0 1252 norm HkWndName
100a2 1276 norm Symantec AntiVirus Corporate Edition
10070 1684 norm Scan
1006c 1684 norm ACTION
1006a 1684 norm VPIPCLINK
40066 1604 norm Dell OMCI Iap
1013e 304 norm SysFader
100ee 304 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer
1008a 964 norm Program Manager
30038 964 norm M
3003a 964 norm Default IME
40194 964 norm Default IME
30182 304 norm Default IME
400a6 964 norm Default IME
100b2 1252 norm Default IME
100a4 1276 norm Default IME
10068 1604 norm Default IME
100f6 304 norm M
100f2 304 norm Default IME
1009e 964 norm M
30062 964 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#19 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 02:39 PM

Also did you run this off a network drive? it should be run on a local drive like c:

Edited by shadowwar, 25 May 2004 - 02:40 PM.




#20 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 02:40 PM

Here you go:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/25/2004
03:39 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 28 135 448 576 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
3:39pm up 0 days, 0:07
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
80036 964 norm _Shell_TrayWnd
10028 660 high NetDDE Agent
101c2 356 norm C:\WINDOWS\System32\cmd.exe
50188 964 norm MCI command handling window
30160 304 norm MCI command handling window
1015c 304 norm DDE Server Window
100de 964 norm Connections Tray
200ae 964 norm Power Meter
200ac 964 norm MS_WebcheckMonitor
100b0 1252 norm HkWndName
100a2 1276 norm Symantec AntiVirus Corporate Edition
10070 1684 norm Scan
1006c 1684 norm ACTION
1006a 1684 norm VPIPCLINK
40066 1604 norm Dell OMCI Iap
1013e 304 norm SysFader
100ee 304 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer
1008a 964 norm Program Manager
30038 964 norm M
3003a 964 norm Default IME
40194 964 norm Default IME
30182 304 norm Default IME
400a6 964 norm Default IME
100b2 1252 norm Default IME
100a4 1276 norm Default IME
10068 1604 norm Default IME
100f6 304 norm M
100f2 304 norm Default IME
1009e 964 norm M
30062 964 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{E9F64C8E-25F6-4428-9F9C-16BBDB2D637B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#21 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 02:41 PM

I do not have adminstrative rights but I can call my administrator in my office at any time to log on if need be. He knows that I am attempting to get this problem fixed.

#22 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 25 May 2004 - 02:44 PM

ok.. you need to have admin rights so have him log in.

Run the dllfix while he is logged in from the c:\ drive and not a network drive.
option 2 and let if find again.
after it reboots have him log in again. It will finish. Than post that log again.



#23 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 03:10 PM

Here is the log off of the c drive:

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Tue 05/25/2004
04:06 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Deleting temp value

The operation completed successfully

Running from C:\Documents and Settings\mgarcia.RMA\Desktop\dllfix
Scanning for bad files in system32 1st pass
File was not found on first Pass.

Scanning for bad files in system32 2nd pass
A file could not be found.

Here is a directory listing to post.


---------- DIR.TXT
04/30/2004 12:56 PM 3,572 cppna.dll
04/30/2004 10:42 AM 3,572 chiif.dll
04/30/2004 08:16 AM 3,573 jjapaa.dll
04/29/2004 03:42 PM 3,572 bebhnkb.dll
04/13/2004 03:00 PM 3,572 bikbhj.dll
04/09/2004 04:53 PM 6,656 spmsg.dll
03/29/2004 09:48 PM 667,648 lsasrv.dll
03/29/2004 09:48 PM 257,536 gdi32.dll
03/29/2004 09:48 PM 439,808 ipnathlp.dll
03/29/2004 09:48 PM 548,352 rtcdll.dll
03/29/2004 09:48 PM 36,864 mf3216.dll
03/29/2004 09:48 PM 136,704 schannel.dll
03/29/2004 09:48 PM 593,408 h323msp.dll
03/29/2004 09:48 PM 306,176 netapi32.dll
03/29/2004 09:48 PM 971,264 msgina.dll
03/29/2004 09:48 PM 51,712 msasn1.dll
03/16/2004 02:44 PM 30,749 vbajet32.dll
03/16/2004 02:44 PM 1,507,356 msjet40.dll
03/16/2004 01:38 PM 614,431 mswstr10.dll
03/16/2004 01:38 PM 151,583 msjint40.dll
03/10/2004 01:59 PM 593,408 xpsp2res.dll
03/05/2004 10:16 PM 535,552 rpcrt4.dll
03/05/2004 10:16 PM 263,680 rpcss.dll
03/05/2004 10:16 PM 1,194,496 comsvcs.dll
03/05/2004 10:16 PM 499,712 clbcatq.dll
03/05/2004 10:16 PM 977,920 msdtctm.dll
03/05/2004 10:16 PM 1,183,744 ole32.dll
03/05/2004 10:16 PM 226,816 es.dll
03/05/2004 10:16 PM 150,528 msdtcuiu.dll
03/05/2004 10:16 PM 225,280 catsrv.dll
03/05/2004 10:16 PM 594,944 catsrvut.dll
03/05/2004 10:16 PM 64,512 colbact.dll
03/05/2004 10:16 PM 110,080 clbcatex.dll
03/05/2004 10:16 PM 367,616 msdtcprx.dll
03/05/2004 10:16 PM 97,280 txflog.dll
03/05/2004 10:16 PM 82,432 mtxoci.dll
03/05/2004 10:16 PM 499,200 comuid.dll
03/05/2004 10:16 PM 64,512 mtxclu.dll
03/02/2004 01:18 PM 593,408 INETCOMM.DLL
03/01/2004 02:55 PM 348,189 msxbde40.dll
03/01/2004 02:55 PM 258,077 mstext40.dll
03/01/2004 02:55 PM 552,989 msrepl40.dll
03/01/2004 02:55 PM 348,189 mspbde40.dll
03/01/2004 02:55 PM 241,693 msjtes40.dll
03/01/2004 02:55 PM 319,517 msexcl40.dll
03/01/2004 02:55 PM 512,029 msexch40.dll
03/01/2004 02:52 PM 358,976 msjetoledb40.dll
02/06/2004 06:05 PM 588,288 WININET.DLL
01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL
01/21/2004 04:20 PM 484,352 URLMON.DLL
01/21/2004 04:19 PM 2,795,520 MSHTML.DLL
01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL
01/21/2004 03:18 PM 395,264 SHLWAPI.DLL
01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll
01/10/2004 07:37 AM 380,957 expsrv.dll
01/10/2004 07:36 AM 831,519 mswdat10.dll
01/10/2004 07:36 AM 315,423 msrd3x40.dll
01/10/2004 07:36 AM 421,919 msrd2x40.dll
01/10/2004 07:36 AM 213,023 msltus40.dll
01/10/2004 07:36 AM 53,279 msjter40.dll
05/25/2004 01:49 PM 31,232 hje.dll
04/30/2004 12:56 PM 3,572 cppna.dll
04/30/2004 10:42 AM 3,572 chiif.dll
04/30/2004 08:16 AM 3,573 jjapaa.dll
04/29/2004 03:42 PM 3,572 bebhnkb.dll
04/13/2004 03:00 PM 3,572 bikbhj.dll
04/09/2004 04:53 PM 6,656 spmsg.dll
03/29/2004 09:48 PM 971,264 msgina.dll
03/29/2004 09:48 PM 257,536 gdi32.dll
03/29/2004 09:48 PM 548,352 rtcdll.dll
03/29/2004 09:48 PM 136,704 schannel.dll
03/29/2004 09:48 PM 306,176 netapi32.dll
03/29/2004 09:48 PM 439,808 ipnathlp.dll
03/29/2004 09:48 PM 51,712 msasn1.dll
03/29/2004 09:48 PM 36,864 mf3216.dll
03/29/2004 09:48 PM 667,648 lsasrv.dll
03/29/2004 09:48 PM 593,408 h323msp.dll
03/16/2004 02:44 PM 30,749 vbajet32.dll
03/16/2004 02:44 PM 1,507,356 msjet40.dll
03/16/2004 01:38 PM 614,431 mswstr10.dll
03/16/2004 01:38 PM 151,583 msjint40.dll
03/10/2004 01:59 PM 593,408 xpsp2res.dll
03/05/2004 10:16 PM 226,816 es.dll
03/05/2004 10:16 PM 1,183,744 ole32.dll
03/05/2004 10:16 PM 535,552 rpcrt4.dll
03/05/2004 10:16 PM 1,194,496 comsvcs.dll
03/05/2004 10:16 PM 499,712 clbcatq.dll
03/05/2004 10:16 PM 977,920 msdtctm.dll
03/05/2004 10:16 PM 263,680 rpcss.dll
03/05/2004 10:16 PM 82,432 mtxoci.dll
03/05/2004 10:16 PM 64,512 mtxclu.dll
03/05/2004 10:16 PM 225,280 catsrv.dll
03/05/2004 10:16 PM 594,944 catsrvut.dll
03/05/2004 10:16 PM 150,528 msdtcuiu.dll
03/05/2004 10:16 PM 367,616 msdtcprx.dll
03/05/2004 10:16 PM 64,512 colbact.dll
03/05/2004 10:16 PM 110,080 clbcatex.dll
03/05/2004 10:16 PM 97,280 txflog.dll
03/05/2004 10:16 PM 499,200 comuid.dll
03/02/2004 01:18 PM 593,408 INETCOMM.DLL
03/01/2004 02:55 PM 348,189 msxbde40.dll
03/01/2004 02:55 PM 552,989 msrepl40.dll
03/01/2004 02:55 PM 258,077 mstext40.dll
03/01/2004 02:55 PM 348,189 mspbde40.dll
03/01/2004 02:55 PM 241,693 msjtes40.dll
03/01/2004 02:55 PM 319,517 msexcl40.dll
03/01/2004 02:55 PM 512,029 msexch40.dll
03/01/2004 02:52 PM 358,976 msjetoledb40.dll
01/21/2004 04:21 PM 1,026,048 BROWSEUI.DLL
01/21/2004 04:20 PM 484,352 URLMON.DLL
01/21/2004 04:19 PM 2,795,520 MSHTML.DLL
01/21/2004 04:16 PM 588,288 WININET.DLL
01/21/2004 04:15 PM 1,339,904 SHDOCVW.DLL
01/21/2004 03:18 PM 395,264 SHLWAPI.DLL
01/16/2004 01:23 PM 65,538 Java_PrintPeer.dll
01/10/2004 07:37 AM 380,957 expsrv.dll
01/10/2004 07:36 AM 831,519 mswdat10.dll
01/10/2004 07:36 AM 315,423 msrd3x40.dll
01/10/2004 07:36 AM 421,919 msrd2x40.dll
01/10/2004 07:36 AM 213,023 msltus40.dll
01/10/2004 07:36 AM 53,279 msjter40.dll

#24 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 May 2004 - 03:59 PM

Shadowwar,

I am heading out for the day. I will be back in the AM and will check in. Thanks for all of your help. I sure hope we can kick this thing, it has driven me completly insane (not a far trip).

#25 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 07:05 AM

Shadowwar,

Good morning, I'm here for the day and ready to kill this darn thing.

Thanks.

#26 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 07:30 AM

Ok. one more request. Delete that whole dllfix folder and dllfix.exe. Download a fresh copy as i updated it last night so it should work better.

http://tools.zerosrealm.com/dllfix.exe

Post me 1 more findall from it after you download it.

Then have your admin run it once more. Option 2 then 2 again..

Post me the new logs.txt please.

Edited by shadowwar, 26 May 2004 - 07:31 AM.




#27 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 07:55 AM

I accidently did this in reverse, I ran option 2 off of the c drive first, then I ran find all (off the network). Here is the log for find all:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/26/2004
08:56 AM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 28 128 755 712 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
8:56am up 0 days, 0:04
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
4011a 1092 norm _Shell_TrayWnd
60064 660 high NetDDE Agent
400f6 1184 norm C:\WINDOWS\System32\cmd.exe
300b4 1092 norm MCI command handling window
300ce 1092 norm Connections Tray
200f4 1092 norm Power Meter
200fe 1092 norm MS_WebcheckMonitor
20088 1956 norm Symantec AntiVirus Corporate Edition
4003c 1248 norm HkWndName
1006c 1632 norm ACTION
1006e 1632 norm Scan
1006a 1632 norm VPIPCLINK
40066 1584 norm Dell OMCI Iap
40042 1092 norm Program Manager
40110 1092 norm M
70062 1092 norm Default IME
2013c 1092 norm Default IME
200f2 1092 norm Default IME
20078 1956 norm Default IME
40096 1248 norm Default IME
10068 1584 norm Default IME
2012c 1092 norm M
4012a 1092 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Here is the log for dll fix:

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Wed 05/26/2004
08:51 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\mgarcia.RMA\My Documents\DLLFix\dllfix
Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Scanning For main hijacker.
Found Main Hijacker Dll:C:\WINDOWS\System32\HJE.DLL
Md5 tested As 0758CF635DF08AC381962F74832B6484
MD5 Matched known Baddie
Deleting Hijacker Dll: C:\WINDOWS\System32\HJE.DLL
Succesfully Deleted
Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: C:\WINDOWS\System32\MS.DLL

Md5 Check of C:\WINDOWS\System32\MS.DLL

Md5 tested As D41D8CD98F00B204E9800998ECF8427E
File was found but md5 didnt match
MD5 was: D41D8CD98F00B204E9800998ECF8427E
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\System32\MS.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\mgarcia.RMA\My Documents\DLLFix\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

#28 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 09:27 AM

Bump

#29 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 10:54 AM

Gone to luch, will be back in a little bit.

#30 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 11:23 AM

can you see what the size of the submit.zip is please?



#31 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 11:59 AM

I ran a search for submit.zip and found it in documents and settings, it is 2KB.

#32 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 12:04 PM

post a find-all please. Thanks.



#33 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 12:06 PM

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/26/2004
01:11 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 27 839 582 208 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
1:11pm up 0 days, 2:07
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
90150 3104 norm _Shell_TrayWnd
60086 660 high NetDDE Agent
1500c2 3936 norm C:\WINDOWS\System32\cmd.exe
c0256 1760 norm SWI Forums -> About:blank Will Not Go Away - Microsoft Internet Explorer
a02a6 1760 norm MCI command handling window
60298 1760 norm DDE Server Window
a0324 2432 norm _DAXParkingWindow
11039a 2432 norm ScreenPrint32 v3.0
b02ce 2432 norm ScreenPrint32 v3.5
401fc 3092 norm AOM
301e4 2748 norm Search Results
60172 2748 norm Adobe Acrobat
401e6 2748 norm transport Window
301fa 2748 norm DDE Server Window
401fe 2748 norm Font Capture
c00a0 3104 norm MCI command handling window
130120 3104 norm Connections Tray
50084 3104 norm Power Meter
90072 3104 norm MS_WebcheckMonitor
600c0 3220 norm HkWndName
5003c 3168 norm Symantec AntiVirus Corporate Edition
1005e 1644 norm ACTION
10060 1644 norm Scan
1005c 1644 norm VPIPCLINK
10058 1584 norm Dell OMCI Iap
1302e2 3104 norm SysFader
8026c 1760 norm SysFader
70068 3104 norm Program Manager
a0148 3104 norm M
80114 3104 norm Default IME
90244 1760 norm M
60252 1760 norm Default IME
a020a 1760 norm Default IME
1043c 2432 norm M
80388 2432 norm Default IME
5016e 3092 norm Default IME
501d6 2748 norm M
402b2 2748 norm Default IME
d008a 3104 norm Default IME
b011e 3104 norm Default IME
50078 3220 norm Default IME
400e6 3168 norm Default IME
1005a 1584 norm Default IME
400e4 3104 norm M
500ea 3104 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB466326-13AF-424D-8ECE-7719FAF40CA7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#34 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 12:19 PM

ok in the dllfix folder should be a windows.txt file. open it with notepad and it will look real funny. Paste it here please.



#35 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 12:21 PM

regf       Pugf hbin   ˙˙˙nk, €ůŐ0 CÄ ˙˙˙˙ ˙˙˙˙˙˙˙˙  € ˙˙˙˙ 0 6 i m  WindowsowsŢ H6Ţ Čţ˙˙sk € €    ”     ě
     !
 €  !      #
 €  #  ?    
     ?   
    ?    
        Đ˙˙˙vk  č   ŔUDeviceNotSelectedTimeoutđ˙˙˙1 5  @  ¸ Đ˙˙˙vk  €'   zGDIProcessHandleQuota"ţđ˙˙˙9 0  ?¸| ŕ˙˙˙vk  `   °şSpooler2đ˙˙˙y e s Čn ŕ˙˙˙vk  €   =pswapdisk ¸  @ p ¨ Đ˙˙˙vk  0   RżTransmissionRetryTimeoutĐ˙˙˙vk  €'   i USERProcessHandleQuotai ŕ˙˙˙¸  @ p ¨ Ř ( Ř˙˙˙vk 6 P   °şAppInit_DLLsecteŔ˙˙˙c : \ w i n d o w s \ s y s t e m 3 2 \ m s . d l l p

#36 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 12:26 PM

Ok lets try to attack this manually. Not sure why its being so stubborn.

copy the contents of the quote box to notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


hit file/save as
give it the name of clear.reg

Under the filename set file types to all types.

Save it to the desktop.
Close notepad.
Double click the clear.reg
when asked to merge say yes.
It should say sucessfully merged.

If it does Reboot.
When back into windows check and see if this file is visible:

C:\WINDOWS\System32\MS.DLL

Post back and let me know.



#37 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 12:46 PM

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: C:\WINDOWS\SYSTEM32\MS.DLL
Location: Quarantine
Computer: PC98003
User: SYSTEM
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, May 26, 2004 1:42:02 PM

#38 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 01:04 PM

Well thats a good sign! Ok we need to put back the registry entry. Do the same thing but with this in the quote box.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""


I know its in quartine but is there anyway you can send me a copy of that file?

After you do this please run dllfix again and give me another findall please.



#39 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 01:10 PM

Where would I find a copy of the quarantined file?

#40 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 01:14 PM

what antivirus is it? if its to much trouble dont worry about it. Lets just get you cleaned up.

After you are done with the new regmerge

Post the findall and a new hijackthis log please.



#41 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 01:19 PM

Here is the findall:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/26/2004
02:22 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 27 842 269 184 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
2:22pm up 0 days, 0:05
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
4002e 572 norm _Shell_TrayWnd
10028 660 high NetDDE Agent
2016e 428 norm C:\WINDOWS\System32\cmd.exe
5014a 572 norm MCI command handling window
200ae 572 norm Connections Tray
200bc 572 norm Power Meter
200dc 1192 norm HkWndName
200ac 1284 norm TrayIconHandler
100a4 1128 norm Symantec AntiVirus Corporate Edition
1006e 1632 norm Scan
1006c 1632 norm ACTION
4006a 1632 norm VPIPCLINK
10058 1576 norm Dell OMCI Iap
200be 572 norm MS_WebcheckMonitor
20080 572 norm Program Manager
30032 572 norm M
30030 572 norm Default IME
3015e 572 norm Default IME
200ba 572 norm Default IME
200da 1192 norm Default IME
200e2 1284 norm Default IME
100a6 1128 norm Default IME
1005a 1576 norm Default IME
1009e 572 norm M
30064 572 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB466326-13AF-424D-8ECE-7719FAF40CA7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{A4C07812-DC52-4FE7-BBB9-1039133E80CC}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access RMA\mgarcia
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access RMA\mgarcia




#42 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 01:21 PM

Here is the hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 2:25:25 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE} - C:\WINDOWS\System32\hje.dll (file missing)
O2 - BHO: (no name) - {CB466326-13AF-424D-8ECE-7719FAF40CA7} - C:\WINDOWS\System32\mlkif.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8132.5077083333
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc
O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

#43 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 01:29 PM

ok next two steps.. getting there.

load up regedit. Navigate here:

hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Right click on the windows portion and hit permissions.


ALLOW Read BUILTIN\Users
ALLOW Read BUILTIN\Power Users
ALLOW Full access BUILTIN\Administrators
ALLOW Full access NT AUTHORITY\SYSTEM
ALLOW Full access CREATOR OWNER

You need to remove you from the list and make the list match the above.

That takes care of the main part.

Then do this:

Now download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Check any of these entries with hijackthis if still there:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mlkif.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8DEB8D5B-0D8E-4BD6-8E42-2F3ED4864FDE} - C:\WINDOWS\System32\hje.dll (file missing)
O2 - BHO: (no name) - {CB466326-13AF-424D-8ECE-7719FAF40CA7} - C:\WINDOWS\System32\mlkif.dll


post a new hijackthis log along with one more findall so we can make sure the registry is back to where it should be.

hope fully that should be it.

Edited by shadowwar, 26 May 2004 - 01:30 PM.




#44 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 01:42 PM

OK, I have navigated my way to the windows permissions. I am confused about what to do next.

#45 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 01:47 PM

Ok, I think that I have figured out the permissions thing. What will I lose if I delete my self from permissions?

#46 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 01:53 PM

If I delete myself from permissions, will I be able to log back into the computer after I do the adaware thing?

#47 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 02:01 PM

Well you werent there to begin with so you will lose nothing :) its cause we wiped the key totally that being you are logged into windows, it defaulted and added you to the list. IF you look on the earlier find alls you werent in the list.



#48 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 02:04 PM

Ok, just so I am sure, I will remove myself from the list, click ok and then get on with the adaware?

#49 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 02:10 PM

correct. I meant to say you wont lose anything as you didnt have them before.

:)



#50 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 02:14 PM

OK, I attempted to remove myself and it said:

Security
You cannot remove because this object is inheriting permissions from its parent. To remove you must prevent this object from inheriting permissions. Turn off the option for inheriting permissions, and then try removing again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button