• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Mark Z

Help fixing browser hijack-CWS variant?

7 posts in this topic

Can someone help me with this hijack? I've ran adaware, spybot and cws shredder. They remove everything but once i reboot, my homepage goes back to about:blank. Casino Online will not let me manually delete it. Thanks for looking and any replies.

 

Mark Z

 

Logfile of HijackThis v1.97.7

Scan saved at 1:59:25 PM, on 6/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\Program Files\Ahead\InCD\InCD.exe

c:\MouseWare\system\em_exec.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\CasinoOnline\CsRemnd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Office\Office\Osa.exe

C:\Program Files\Microsoft Office\Office\Findfast.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\mspclnt\ISATRAY.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Microsoft Office\Office10\msoffice.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\WINDOWS\explorer.exe

C:\unzipped\hijackthis\HijackThis.exe

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ACCTSERVER:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {1C8CD524-E4CF-47AF-B82D-9922EA03BE0E} - C:\WINDOWS\System32\ncll.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {83C1C31C-F75C-4969-8BA6-E46D7AC204D8} - C:\WINDOWS\System32\jkphipa.dll (file missing)

O2 - BHO: (no name) - {A9D1321B-B3E0-4896-B207-AC4DCB6F4E6A} - C:\WINDOWS\System32\dmfmbcb.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [winmain] winmain.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: PowerReg SchedulerV2.exe

O4 - Global Startup: Acrobat Assistant.lnk = ?

O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\mspclnt\ISATRAY.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8135.3727199074

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRANES.LOCAL

O17 - HKLM\Software\..\Telephony: DomainName = CRANES.LOCAL

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRANES.LOCAL

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CRANES.LOCAL

Share this post


Link to post
Share on other sites

You have a few issues there!

 

Restart computer in safe mode:

 

Run Taskmanager and 'terminte' this, if active:

 

C:\Program Files\CasinoOnline\*CsRemnd.exe

 

Navigate to program files, delete entire 'CasinoOnline' folder!

 

Re-run hijackthis and fix checked:

 

*O2 - BHO: (no name) - {1C8CD524-E4CF-47AF-B82D-9922EA03BE0E} - C:\WINDOWS\System32\ncll.dll (file missing)

*O2 - BHO: (no name) - {83C1C31C-F75C-4969-8BA6-E46D7AC204D8} - C:\WINDOWS\System32\jkphipa.dll (file missing)

*O4 - HKLM\..\Run: [winmain] winmain.exe

*O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe

*O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

 

Search for "winmain.exe" virus and "version.exe", delete if found.

(*Don't confuse with version.dll which is legit windows file)

 

--Download and install: "Find-All.exe" file from any

of the 'Find-All' links in my signature.

 

Run the included "Find-All.Cmd" file, post the log!

Share this post


Link to post
Share on other sites

Thanks for the quick reply. I hope I'm not sounding stupid, but how do I run taskmanager? Are you talking about ctrl+alt+delete and then the task manager button?

 

 

Thanks,

Mark

Share this post


Link to post
Share on other sites

Did the hijackthis fix checkedand searched for winmain.exe and version.exe, but neither were found. Here is my Find-All.cmd log:

 

 

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--

 

 

Wed Jun 09 15:55:30 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (07D1:0B1D) - FS:FAT clusters:16k

Total: 20 010 500 096 [19G] - Free: 3 466 706 944 [3.2G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google:

2.0.111.0 C:\Program Files\google\googletoolbar2.dll

-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar2.dll

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe

 

 

»»PC uptime:

3:55pm up 0 days, 0:02

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error

\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

312 SMSS.EXE

360 CSRSS.EXE Title:

392 WINLOGON.EXE Title: NetDDE Agent

440 SERVICES.EXE Svcs: Eventlog,PlugPlay

452 LSASS.EXE Svcs: Netlogon,PolicyAgent,ProtectedStorage,SamSs

720 SVCHOST.EXE Svcs: RpcSs

748 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,helpsvc,lanmanserver,l

nmanworkstation,Messenger,Netman,Nla,Schedule,seclogon,SENS,ShellHWDetection,srs

rvice,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,WmdmPmSp,wuauserv,WZCS

C

820 SVCHOST.EXE Svcs: Dnscache

864 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

964 SPOOLSV.EXE Svcs: Spooler

1144 MCVSRTE.EXE Svcs: MCVSRte

1364 McShield.exe Svcs: McShield

1744 EXPLORER.EXE Title: Program Manager

2008 EM_EXEC.EXE Title: Logitech GetMessage Hook

156 InCD.exe Title: InCD

352 MCVSSHLD.EXE Title: ##VSO###MCVSSHLD##

468 McVSEscn.exe Title: ESCAN_05C7FDBC-A2CA-44ec-A1A2-2098B7DE92B8

488 MCAGENT.EXE Title: McAgent_Main_Hidden_Window

1108 QTTASK.EXE Title: QTPlayer Tray Icon

1160 MSMSGS.EXE Title:

1228 OSA.EXE Title: Reminder

1520 FINDFAST.EXE Title:

1576 AcroTray.exe Title: AcrobatTrayIcon

1604 ISATRAY.EXE Title: IsaTray

1696 OUTLOOK.EXE Title: Inbox - Microsoft Outlook

524 WZQKPICK.EXE Title: About WinZip Quick Pick

1792 MSOFFICE.EXE Title:

1876 MCVSFTSN.EXE Title:

2320 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe

2380 NTVDM.EXE

2616 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9D1321B-B3E0-4896-B207-AC4DCB6F4E6A}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{17B01C48-5F2B-4AAD-9BBA-282B7E10F157}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{17B01C48-5F2B-4AAD-9BBA-282B7E10F157}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Defaults *450)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [CRANES\MarkZakowski], is a member of:

 

BUILTIN\Account Operators

CRANES\BackOffice Fax Operators

CRANES\BackOffice Folder Operators

CRANES\BackOffice Internet Users

CRANES\BackOffice Mail Operators

CRANES\BackOffice Remote Operators

CRANES\Domain Users

\Everyone

BUILTIN\Print Operators

BUILTIN\Server Operators

 

User is a member of group CRANES\Domain Users.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group CRANES\BackOffice Fax Operators.

User is a member of group CRANES\BackOffice Mail Operators.

User is a member of group CRANES\BackOffice Folder Operators.

User is a member of group CRANES\BackOffice Remote Operators.

User is a member of group CRANES\BackOffice Internet Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx No permissions are set. All user have full control.

ERROR: There are no more files.

 

 

»»Contents of file(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Wed Jun 09 15:55:46 2004 -- ++Find-All backups created:

A C:\Find-All\Find-All\winBackup.hiv

A C:\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

Hello there!

 

Can you elaqborate a bit on your current account settings?

»»Group/user settings:

 

 

User: [CRANES\MarkZakowski], is a member of:

 

BUILTIN\Account Operators

CRANES\BackOffice Fax Operators

CRANES\BackOffice Folder Operators

CRANES\BackOffice Internet Users

CRANES\BackOffice Mail Operators

CRANES\BackOffice Remote Operators

CRANES\Domain Users

\Everyone

BUILTIN\Print Operators

BUILTIN\Server Operators

 

Since you are not listed in that section

as 'Administrator', we may not be able to proceed!

 

Find this backup file:

C:\FindallwinBackup.hiv

RightClick and post it's exact size!

 

Because you are running:

 

>>C: "" (07D1:0B1D) - FS:FAT clusters:16k

Fat32 file system, I recommend following these steps instead:

 

http://www.spywareinfoforum.com/index.php?sh...=15entry19538

 

The command to rename the file in your case should be subsituted as:

 

ren RESM.DLL RESM.old

 

as you can see... easy as a pie...

http://www.spywareinfoforum.com/index.php?ac...indpost&p=19949 :D

Share this post


Link to post
Share on other sites

This is my computer at work. I log onto our workserver so that I can access autocad drawings, access databases and e-mail to other co-workers. I'm kind of a computer idiot since I really on use Autocad and enter data in access. I'm not sure what you really need to know.

 

 

C:\FindallwinBackup.hiv is 8.00 KB (8,192 bytes)

 

 

I'm not sure what you ment by the following:

Because you are running:

 

>>C: "" (07D1:0B1D) - FS:FAT clusters:16k

Fat32 file system, I recommend following these steps instead:

 

http://www.spywareinfoforum.com/index.php?sh...=15entry19538

 

The command to rename the file in your case should be subsituted as:

 

ren RESM.DLL RESM.old

 

as you can see... easy as a pie...

http://www.spywareinfoforum.com/index.php?ac...indpost&p=19949

Share this post


Link to post
Share on other sites
This is my computer at work. I log onto our workserver so

that I can access autocad drawings, access databases

and e-mail to other co-workers.

I'm kind of a computer idiot since I really on

use Autocad and enter data in access.

 

I'm not sure what you really need to know.

 

 

C:\FindallwinBackup.hiv is 8.00 KB (8,192 bytes)

 

 

I'm not sure what you ment by the following:

Because you are running:

 

>>C: "" (07D1:0B1D) - FS:FAT clusters:16k

Fat32 file system, I recommend following these steps instead:

 

http://www.spywareinfoforum.com/index.php?sh...=15entry19538

 

The command to rename the file in your case should be subsituted as:

 

ren RESM.DLL RESM.old

 

as you can see... easy as a pie...

http://www.spywareinfoforum.com/index.php?ac...indpost&p=19949

Fixing this as backup operator status is a bit doubty!

 

What I meant is simple and all included in the links...

 

If you are running a work box, renaming

regedit keys (in order to get rid of the file)

may not be succesful.

 

Your pc is is formatted as FAT32 , therefor you can

use the same easy ol' method to delete/rename files as users of Win98!

e.g DOS! ms.jpg:D

 

It's easy enough and doesn't require extra computer engineering skills!

To navigate from A:\> type:

c:

type

cd windows

type:

cd system32

In order to rename the file, type:

ren RESIMHA.DLL RESIMHA.old

 

Restart the system via Ctrl-Alt-Delete, delete the RESIMHA.old.

Followed the instructions

Easy as pie with the 98 boot disk. :D

File is deleted :!:

 

 

All you have to do is...

go here:

http://bootdisk.com/bootdisk.htm

 

Make a startup disk.

>>Win98 is highly recommended.<<

 

Your bad file is identified on the 'Find-All' log:

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error

\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error

 

 

You can boot the system and try renaming the file via

console commands in the win98 boot disk:

However, you do have to be a bit

familiar with prompts.

 

To navigate from A:\> type:

c:

type

cd windows

type:

cd system32

In order to rename the file, type:

ren RESM.DLL RESM.old

 

Restart the system via Ctrl-Alt-Delete, delete the RESM.DLL

 

When done, open the registry from start/run/regedit

Expand:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

DoubleClick on

"AppInit_DLLs"=""< on the right pane, and erase the data.

(C:\WINDOWS\System32\RESM.DLL )

 

You will not see the data or the file until the file is gone (renamed)...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0