Jump to content


Photo

Help fixing browser hijack-CWS variant?


  • Please log in to reply
6 replies to this topic

#1 Mark Z

Mark Z

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 01:58 PM

Can someone help me with this hijack? I've ran adaware, spybot and cws shredder. They remove everything but once i reboot, my homepage goes back to about:blank. Casino Online will not let me manually delete it. Thanks for looking and any replies.

Mark Z

Logfile of HijackThis v1.97.7
Scan saved at 1:59:25 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Ahead\InCD\InCD.exe
c:\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\mspclnt\ISATRAY.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dmfmbcb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ACCTSERVER:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1C8CD524-E4CF-47AF-B82D-9922EA03BE0E} - C:\WINDOWS\System32\ncll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {83C1C31C-F75C-4969-8BA6-E46D7AC204D8} - C:\WINDOWS\System32\jkphipa.dll (file missing)
O2 - BHO: (no name) - {A9D1321B-B3E0-4896-B207-AC4DCB6F4E6A} - C:\WINDOWS\System32\dmfmbcb.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = ?
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\mspclnt\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8135.3727199074
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRANES.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = CRANES.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRANES.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CRANES.LOCAL

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 June 2004 - 02:08 PM

You have a few issues there!

Restart computer in safe mode:

Run Taskmanager and 'terminte' this, if active:

C:\Program Files\CasinoOnline\*CsRemnd.exe

Navigate to program files, delete entire 'CasinoOnline' folder!

Re-run hijackthis and fix checked:

*O2 - BHO: (no name) - {1C8CD524-E4CF-47AF-B82D-9922EA03BE0E} - C:\WINDOWS\System32\ncll.dll (file missing)
*O2 - BHO: (no name) - {83C1C31C-F75C-4969-8BA6-E46D7AC204D8} - C:\WINDOWS\System32\jkphipa.dll (file missing)
*O4 - HKLM\..\Run: [winmain] winmain.exe
*O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
*O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

Search for "winmain.exe" virus and "version.exe", delete if found.
(*Don't confuse with version.dll which is legit windows file)

--Download and install: "Find-All.exe" file from any
of the 'Find-All' links in my signature.

Run the included "Find-All.Cmd" file, post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 Mark Z

Mark Z

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 02:18 PM

Thanks for the quick reply. I hope I'm not sounding stupid, but how do I run taskmanager? Are you talking about ctrl+alt+delete and then the task manager button?


Thanks,
Mark

#4 Mark Z

Mark Z

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 03:51 PM

Did the hijackthis fix checkedand searched for winmain.exe and version.exe, but neither were found. Here is my Find-All.cmd log:


--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--


Wed Jun 09 15:55:30 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (07D1:0B1D) - FS:FAT clusters:16k
Total: 20 010 500 096 [19G] - Free: 3 466 706 944 [3.2G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar2.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-04-2004 googletoolbar2.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
3:55pm up 0 days, 0:02

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
312 SMSS.EXE
360 CSRSS.EXE Title:
392 WINLOGON.EXE Title: NetDDE Agent
440 SERVICES.EXE Svcs: Eventlog,PlugPlay
452 LSASS.EXE Svcs: Netlogon,PolicyAgent,ProtectedStorage,SamSs
720 SVCHOST.EXE Svcs: RpcSs
748 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,helpsvc,lanmanserver,l
nmanworkstation,Messenger,Netman,Nla,Schedule,seclogon,SENS,ShellHWDetection,srs
rvice,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,WmdmPmSp,wuauserv,WZCS
C
820 SVCHOST.EXE Svcs: Dnscache
864 SVCHOST.EXE Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
964 SPOOLSV.EXE Svcs: Spooler
1144 MCVSRTE.EXE Svcs: MCVSRte
1364 McShield.exe Svcs: McShield
1744 EXPLORER.EXE Title: Program Manager
2008 EM_EXEC.EXE Title: Logitech GetMessage Hook
156 InCD.exe Title: InCD
352 MCVSSHLD.EXE Title: ##VSO###MCVSSHLD##
468 McVSEscn.exe Title: ESCAN_05C7FDBC-A2CA-44ec-A1A2-2098B7DE92B8
488 MCAGENT.EXE Title: McAgent_Main_Hidden_Window
1108 QTTASK.EXE Title: QTPlayer Tray Icon
1160 MSMSGS.EXE Title:
1228 OSA.EXE Title: Reminder
1520 FINDFAST.EXE Title:
1576 AcroTray.exe Title: AcrobatTrayIcon
1604 ISATRAY.EXE Title: IsaTray
1696 OUTLOOK.EXE Title: Inbox - Microsoft Outlook
524 WZQKPICK.EXE Title: About WinZip Quick Pick
1792 MSOFFICE.EXE Title:
1876 MCVSFTSN.EXE Title:
2320 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
2380 NTVDM.EXE
2616 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9D1321B-B3E0-4896-B207-AC4DCB6F4E6A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{17B01C48-5F2B-4AAD-9BBA-282B7E10F157}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{17B01C48-5F2B-4AAD-9BBA-282B7E10F157}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Defaults *450)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [CRANES\MarkZakowski], is a member of:

BUILTIN\Account Operators
CRANES\BackOffice Fax Operators
CRANES\BackOffice Folder Operators
CRANES\BackOffice Internet Users
CRANES\BackOffice Mail Operators
CRANES\BackOffice Remote Operators
CRANES\Domain Users
\Everyone
BUILTIN\Print Operators
BUILTIN\Server Operators

User is a member of group CRANES\Domain Users.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group CRANES\BackOffice Fax Operators.
User is a member of group CRANES\BackOffice Mail Operators.
User is a member of group CRANES\BackOffice Folder Operators.
User is a member of group CRANES\BackOffice Remote Operators.
User is a member of group CRANES\BackOffice Internet Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.


»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Wed Jun 09 15:55:46 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#5 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 June 2004 - 04:08 PM

Hello there!

Can you elaqborate a bit on your current account settings?

»»Group/user settings:


User: [CRANES\MarkZakowski], is a member of:

BUILTIN\Account Operators
CRANES\BackOffice Fax Operators
CRANES\BackOffice Folder Operators
CRANES\BackOffice Internet Users
CRANES\BackOffice Mail Operators
CRANES\BackOffice Remote Operators
CRANES\Domain Users
\Everyone
BUILTIN\Print Operators
BUILTIN\Server Operators


Since you are not listed in that section
as 'Administrator', we may not be able to proceed!

Find this backup file:
C:\FindallwinBackup.hiv
RightClick and post it's exact size!

Because you are running:

>>C: "" (07D1:0B1D) - FS:FAT clusters:16k
Fat32 file system, I recommend following these steps instead:

http://www.spywarein...=15

The command to rename the file in your case should be subsituted as:

ren RESM.DLL RESM.old

as you can see... easy as a pie...
http://www.spywarein...indpost&p=19949 :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#6 Mark Z

Mark Z

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 04:31 PM

This is my computer at work. I log onto our workserver so that I can access autocad drawings, access databases and e-mail to other co-workers. I'm kind of a computer idiot since I really on use Autocad and enter data in access. I'm not sure what you really need to know.


C:\FindallwinBackup.hiv is 8.00 KB (8,192 bytes)


I'm not sure what you ment by the following:
Because you are running:

>>C: "" (07D1:0B1D) - FS:FAT clusters:16k
Fat32 file system, I recommend following these steps instead:

http://www.spywarein...=15

The command to rename the file in your case should be subsituted as:

ren RESM.DLL RESM.old

as you can see... easy as a pie...
http://www.spywarein...indpost&p=19949

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 June 2004 - 04:57 PM

This is my computer at work. I log onto our workserver so
that I can access autocad drawings, access databases
and e-mail to other co-workers.
I'm kind of a computer idiot since I really on
use Autocad and enter data in access.

I'm not sure what you really need to know.


C:\FindallwinBackup.hiv is 8.00 KB (8,192 bytes)


I'm not sure what you ment by the following:
Because you are running:

>>C: "" (07D1:0B1D) - FS:FAT clusters:16k
Fat32 file system, I recommend following these steps instead:

http://www.spywarein...=15

The command to rename the file in your case should be subsituted as:

ren RESM.DLL RESM.old

as you can see... easy as a pie...
http://www.spywarein...indpost&p=19949

Fixing this as backup operator status is a bit doubty!

What I meant is simple and all included in the links...

If you are running a work box, renaming
regedit keys (in order to get rid of the file)
may not be succesful.

Your pc is is formatted as FAT32 , therefor you can
use the same easy ol' method to delete/rename files as users of Win98!
e.g DOS! Posted Image :D

It's easy enough and doesn't require extra computer engineering skills!

To navigate from A:\> type:
c:
type
cd windows
type:
cd system32
In order to rename the file, type:
ren RESIMHA.DLL RESIMHA.old

Restart the system via Ctrl-Alt-Delete, delete the RESIMHA.old.

Followed the instructions
Easy as pie with the 98 boot disk. :D
File is deleted :!:


All you have to do is...
go here:
http://bootdisk.com/bootdisk.htm

Make a startup disk.
>>Win98 is highly recommended.<<

Your bad file is identified on the 'Find-All' log:
»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESM.DLL +++ File read error


You can boot the system and try renaming the file via
console commands in the win98 boot disk:
However, you do have to be a bit
familiar with prompts
.

To navigate from A:\> type:
c:
type
cd windows
type:
cd system32
In order to rename the file, type:
ren RESM.DLL RESM.old

Restart the system via Ctrl-Alt-Delete, delete the RESM.DLL

When done, open the registry from start/run/regedit
Expand:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
DoubleClick on
"AppInit_DLLs"=""< on the right pane, and erase the data.
(C:\WINDOWS\System32\RESM.DLL )

You will not see the data or the file until the file is gone (renamed)...
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button