Jump to content


Photo

About:blank Will Not Go Away


  • Please log in to reply
60 replies to this topic

#51 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 02:16 PM

When I click on advanced it says that I have full control under permissions. I found out yesterday that I did not need the administrator to log on for me, I could do this under my user name and password.

#52 superbratkidde

superbratkidde

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 26 May 2004 - 02:23 PM

shell's when you get throought with this download spywareguard if you don't have it yet I've had very little incidents on my pc since i installed it.
Make sure you have the real time scanner on which will alert you during an attack and ask you if you want to accept changes.

#53 superbratkidde

superbratkidde

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 26 May 2004 - 02:27 PM

one more thing have you tried reinstalling the default registry values for IE 6, this is the one you get after a fresh install of IE. if you can't find these values post the question in the fix pc part of this forum. I did this before and restored my pages back to factory settings
gooluck

#54 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 02:34 PM

Forgot about that step. Uncheck the inherit box. It will then give you a popup box. Hit copy. then you can remove yourself.

Superbratkidde this is a very complex hijack. Hijackthis will take care of what you said to do. I know you are trying to help but this may confuse things.



#55 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 02:38 PM

OK, I'm on to Adaware. Be back in a minute.

#56 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 03:12 PM

OK, here is the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:10:18 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\userinit.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = RMASBS:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8132.5077083333
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmasecurity.loc
O17 - HKLM\Software\..\Telephony: DomainName = rmasecurity.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rmasecurity.loc

Does the findall log need to be done off of the network?

#57 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 03:21 PM

Here is the findall log:

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Wed 05/26/2004
04:22 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (B013:FA76) - FS:NTFS clusters:4k
Total: 39 958 409 216 [37G] - Free: 27 843 670 016 [26G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
4:22pm up 0 days, 0:04
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
10090 580 norm Start Menu
4002c 580 norm _Shell_TrayWnd
10028 660 high NetDDE Agent
3019e 256 norm C:\WINDOWS\System32\cmd.exe
10110 580 norm MCI command handling window
20108 580 norm Connections Tray
200e0 580 norm Power Meter
200e4 580 norm MS_WebcheckMonitor
200c6 1508 norm IsaTray
100d0 1240 norm HkWndName
100bc 1064 norm Symantec AntiVirus Corporate Edition
1006e 1636 norm Scan
1006c 1636 norm ACTION
1006a 1636 norm VPIPCLINK
40066 1568 norm Dell OMCI Iap
9011a 580 norm SysFader
10086 580 norm Program Manager
30034 580 norm M
30032 580 norm Default IME
10114 580 norm Default IME
200de 580 norm Default IME
400b8 1508 norm Default IME
100d2 1240 norm Default IME
100be 1064 norm Default IME
10068 1568 norm Default IME
1009a 580 norm M
30064 580 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(CI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
(CI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(CI) ALLOW Full access NT AUTHORITY\SYSTEM
(CI) ALLOW Read BUILTIN\Users

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Full access BUILTIN\Administrators
QWCEN-DS-- BUILTIN\Power Users
Full access NT AUTHORITY\SYSTEM
Read BUILTIN\Users




#58 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 26 May 2004 - 03:31 PM

Shadowwar,

I am heading out for the day (thank goodness). I am so tired of looking at this computer. I will return in the morning. Thank you so much for your help. I hope we can kill this thing. Good night.

#59 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 06:27 PM

its killed. Here are some tips:

Please run your windows updates to help prevent being reinfected.

internet explorer/tools(at top of screen)/windows updates
Install all critical at least. After you reboot Recheck again as there may be more!

Also see the link in my signature:

how did I get infected in the first place?

Here is some software that will help with prevention:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Spybot search and destroy in my signature is a good cleaner for adware and such.

Also a good firewall if you do not have one like Zonealarm in my signature will help protect you and monitor what is accessing the internet.

Also an antivirus if you do not have one already : http://www.grisoft.c...s_dwnl_free.php

All free programs.



#60 ShellsPC

ShellsPC

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 27 May 2004 - 08:13 AM

Shadowwar,

Thank you for helping me with this problem. I might actually gain some sanity back (ok, probably not). Since I have downloaded most of the spyware dectector programs for attempting to fix this problem I should be fairly guarded against future attacks.

Again, Thank You, Thank You, Thank You!!!!!! You are the best.

#61 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 27 May 2004 - 08:14 AM

the ones in my tips will help prevent them installing.

Cheers.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button