• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
anas_adam

Help me with this about: blank

24 posts in this topic

Hi there, i have this problem with my home page, which is automatically set to about: blank, some kind of search page, aslo with a popup about some spyware software. I have removed it twice now, first time was the day before yesterday. It keeps coming back somehow. its removable with adaware, and after i remove it, all is ok till next day when it comes back again. Before all this i had another spyware, the one with res:\... and a "random".dll in it. When this was removed i got this new cws thing. I would very much appreciate it if someone could help me. My logfile with hijackthis just in case:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 17:29:41, on 23-6-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3123D989-36E1-4A03-B349-6D6AB96EF61F} - C:\WINDOWS\System32\afnmib.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O9 - Extra button: Real.com (HKLM)

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8139.1508101852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

Share this post


Link to post
Share on other sites

Download and install : "Beta-Fix.exe" from

the 'Find-all page' link in my signature.

 

Run the "!LOG!.bat" file, post the results.

Share this post


Link to post
Share on other sites

Here it is:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 17:29:41, on 23-6-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3123D989-36E1-4A03-B349-6D6AB96EF61F} - C:\WINDOWS\System32\afnmib.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O9 - Extra button: Real.com (HKLM)

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8139.1508101852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

Share this post


Link to post
Share on other sites

He asked for the output of the !LOG!.BAT file (the link in his sig), not another HijackThis output.

 

I seem to have the same 57344 byte randomly named file as several other posters so I'll just wait to see what solutions are posted. I should have guessed it was appinit as Sysinternals filemon is showing the non-listable/deleteable file as being accessed by EVERY executable loaded.

Share this post


Link to post
Share on other sites

O oeps, sorry, wrong paste lol. This is the right one:

 

 

 

 

Microsoft Windows XP [versie 5.1.2600]

Het type bestandssysteem is NTFS.

C: bevat geen fouten.

 

wo 23-06-2004

11:14pm up 0 days, 7:38

»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»

Files listed in this section (in System32) are not always definitive!

Always Double Check and be sure the file pointed doesn't exist!

 

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINDOWS\System32\SQLG.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLG.DLL +++ File read error

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»Special 'locked' files scan in 'System32'........

**File C:\Beta-Fix\LIST.TXT

SQLG.DLL Can't Open!

 

****Filtering files in System32... (-h -s -r...) ***

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\WINDOWS\SYSTEM32\

sqlg.dll Thu 17 Jun 2004 10:53:12 A...R 57.344 56,00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57.344 bytes 56,00 K

 

No matches found.

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\SQLG.DLL

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read INGEBOUWD\Gebruikers

(IO) ALLOW Read INGEBOUWD\Gebruikers

(NI) ALLOW Read INGEBOUWD\Hoofdgebruikers

(IO) ALLOW Read INGEBOUWD\Hoofdgebruikers

(NI) ALLOW Full access INGEBOUWD\Administrators

(IO) ALLOW Full access INGEBOUWD\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access INGEBOUWD\Administrators

(IO) ALLOW Full access MAKER EIGENAAR

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read INGEBOUWD\Gebruikers

Read INGEBOUWD\Hoofdgebruikers

Full access INGEBOUWD\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group SAAD-NCW81DES7W\Geen.

User is a member of group \Iedereen.

User is a member of group INGEBOUWD\Administrators.

User is a member of group INGEBOUWD\Gebruikers.

User is a member of group \LOKAAL.

User is a member of group NT AUTHORITY\INTERACTIEF.

User is a member of group NT AUTHORITY\Geverifieerde gebruikers.

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x SAAD-NCW81DES7W\Saab

Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR

Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

 

Owner: SAAD-NCW81DES7W\Saab

 

Primary Group: SAAD-NCW81DES7W\Geen

 

 

 

»»»»»»Backups created...»»»»»»

11:14pm up 0 days, 7:38

wo 23-06-2004

 

A C:\Beta-Fix\winBackup.hiv

--a-- - - - - - 8,192 06-23-2004 winbackup.hiv

A C:\Beta-Fix\keys1\winkey.reg

--a-- - - - - - 287 06-23-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsÿÿÿÿÀÿÿÿC

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

Windows

UDeviceNotSelectedTimeout

GDIProcessHandleQuota,

Spoolerw

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuota

AppInit

 

**File C:\Beta-Fix\WIN.TXT

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 o£Þ— ° Ðÿÿÿvk €' GDIProcessHandleQuota,­2ðÿÿÿ9 0 èZ àÿÿÿvk X Spoolerwðÿÿÿy e s éÔ=pàÿÿÿvk € . swapdisk ° ø 8 h   Ðÿÿÿvk ( J TransmissionRetryTimeoutÐÿÿÿvk €' USERProcessHandleQuota àÿÿÿ° ø 8 h   Ð Øÿÿÿvk : H i AppInit_DLLsÿÿÿÿÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ s q l g . d l l C x

Edited by anas_adam

Share this post


Link to post
Share on other sites

Well done!

Your bad file is positively identified on all counts!

This will take couple or more steps to fix.

Be sure to Follow the next set of steps carefully, in

the exact order specified:

 

 

-Open the Beta-Fix\Keys1 Subfolder!

- Locate the "MOVEit.bat" file,Right-Click on it,select->edit:

The file will open as empty text file.

-Copy and paste the entire hilited line in the following quote box

(all one line) into that blank 'MOVEit' file:

move %WinDir%\System32\SQLG.DLL %SystemDrive%\junkxxx\SQLG.DLL

 

-Save the file and close.

 

*Get ready to restart your computer:

-In the same folder, DoubleClick on the "FIX.bat" file.

You will be prompted by popup -Alert to restart in 15 seconds.

-Allow it to restart the computer!

 

-On restart, Navigate to:

C:\Beta-Fix\ main folder:

-DoubleClick on the "RESTORE.bat" file.

 

It'll run and produce new log. (log1.txt) post it here!

Share this post


Link to post
Share on other sites

Skip this step and proceed with these steps, instead:

 

*Get ready to restart your computer:

-In the same folder, DoubleClick on the "FIX.bat" file.

You will be prompted by popup -Alert to restart in 15 seconds.

-Allow it to restart the computer!

 

-On restart,

Navigate to System32 folder, find the

"SQLG.DLL" file (as it should be visible now) hilite the file,

And use the folder's top menu:

Edit>move to folder...

Select the C:\junkxxx as destination.

Move the file and proceed to run the

C:\Beta-Fix\"RESTORE.bat" file!

Share this post


Link to post
Share on other sites

OK done, what should i do now?? This is the log that came up when restore.bat finished:

 

 

 

do 24-06-2004

5:48pm up 0 days, 0:02

 

Microsoft Windows XP [versie 5.1.2600]

Het type bestandssysteem is NTFS.

C: bevat geen fouten.

 

*Locked files...

* result\\?\C:\junkxxx\SQLG.DLL

 

»»»Filtering files in System32.......( 'R;H;S') »»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

No matches found.

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

C:\JUNKXXX\

sqlg.dll Thu 17 Jun 2004 10:53:12 A...R 57.344 56,00 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 57.344 bytes 56,00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\JUNKXXX\SQLG.DLL

 

 

Search text: ÝSTREAMINGDEVICESETUP2Þ ®CASE Insensitive Match

Searching ==>C:\JUNKXXX\SQLG.DLL

Run Time(sec) 0

**File C:\JUNKXXX\SQLG.DLL

0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami

0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

 

 

-ra-- W32i - - - - 57,344 06-17-2004 sqlg.dll

A R C:\junkxxx\sqlg.dll

File: <C:\junkxxx\sqlg.dll>

 

CRC-32 : D5C9FB2E

 

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

 

 

 

 

»»Permissions:

C:\junkxxx\sqlg.dll INGEBOUWD\Administrators:F

NT AUTHORITY\SYSTEM:F

SAAD-NCW81DES7W\Saab:F

INGEBOUWD\Gebruikers:R

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x SAAD-NCW81DES7W\Saab

Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR

Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

 

Owner: SAAD-NCW81DES7W\Saab

 

Primary Group: SAAD-NCW81DES7W\Geen

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 0000000B -co- 10000000 ---A ---- ---- \MAKER EIGENAAR

Allow 00000003 tco- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers

Allow 00000002 tc-- 00000004 ---- ---- --+- INGEBOUWD\Gebruikers

Allow 0000000A -c-- 00000002 ---- ---- -w-- INGEBOUWD\Gebruikers

Allow 00000000 t--- 001200A9 ---- -S-- r--x \Iedereen

 

Owner: INGEBOUWD\Administrators

 

Primary Group: NT AUTHORITY\SYSTEM

 

File "C:\junkxxx\sqlg.dll"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000010 t--- 001F01FF ---- DSPO rw+x INGEBOUWD\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x SAAD-NCW81DES7W\Saab

Allow 00000010 t--- 001200A9 ---- -S-- r--x INGEBOUWD\Gebruikers

 

Owner: SAAD-NCW81DES7W\Saab

 

Primary Group: SAAD-NCW81DES7W\Geen

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read INGEBOUWD\Gebruikers

(IO) ALLOW Read INGEBOUWD\Gebruikers

(NI) ALLOW Read INGEBOUWD\Hoofdgebruikers

(IO) ALLOW Read INGEBOUWD\Hoofdgebruikers

(NI) ALLOW Full access INGEBOUWD\Administrators

(IO) ALLOW Full access INGEBOUWD\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access INGEBOUWD\Administrators

(IO) ALLOW Full access MAKER EIGENAAR

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read INGEBOUWD\Gebruikers

Read INGEBOUWD\Hoofdgebruikers

Full access INGEBOUWD\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

AppInit_DLLsÿÿÿÿÀÿÿÿC

 

---------- NEWWIN.TXT

AppInit_DLLsÿÿÿÿ¸

**File C:\Beta-Fix\NEWWIN.TXT

**File C:\Beta-Fix\NEWWIN.TXT

00001338: 01 00 00 00 01 00 7E 00 . 5F 44 4C 4C 73 FF FF FF ......~. _DLLsÿÿÿ

**File C:\Beta-Fix\NEWWIN.TXT

Ðÿÿÿvk à ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5 o£Þ— ° Ðÿÿÿvk €' GDIProcessHandleQuota,­2ðÿÿÿ9 0 èZ àÿÿÿvk X Spoolerwðÿÿÿy e s éÔ=pàÿÿÿvk € . swapdisk ° ø 8 h   Ðÿÿÿvk ( J TransmissionRetryTimeoutÐÿÿÿvk €' USERProcessHandleQuota àÿÿÿ° ø 8 h   Ð Øÿÿÿvk € ~ AppInit_DLLsÿÿÿÿ¸

Share this post


Link to post
Share on other sites

Great progress! :thumbsup:

 

Last step(s):

 

 

-Open the Beta-Fix\Files2< Subfolder:

Run the -> "ZIPZAP.bat" file.

It will quickly clean the rest and

will make a copy of the bad file(s) in the same

folder (junkxxx.zip) and open your email client with instructions:

Simply drag and drop the 'junkxxx.zip' file from

the folder into the mail message and submit

to the specified addresses! Thanks!

 

When done, Delete and entire 'Beta-Fix' file+folder(s)

From C:\

 

 

As for the remains, run any and all

removal tools once again as they should work properly now!

In particular, CWShredder and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! :)

Share this post


Link to post
Share on other sites
I somehow cant delete jeoidbaa.tmp from the files2 folder... Is that bad? What should i do???

Thats a tmp file craeted by the tools!

 

Did you run the ZIPZAP file?

 

If so, restart your computer and delete the entire 'Beta-Fix' folder

which will--obviously--include it's contents! :D

Share this post


Link to post
Share on other sites

I know that its created by the tools, but when i tried to delete the betafix folder, it couldnt delete entire folder because it couldnbt delete this tmp file...

Share this post


Link to post
Share on other sites
I know that its created by the tools, but when i tried to delete the betafix folder, it couldnt delete entire folder because it couldnbt delete this tmp file...

That's only because that file was still inuse...

As that may be the case, restarting your

computer should--undoubtedly--resolve the puzzle. :D

Share this post


Link to post
Share on other sites

This is my hijackthis log, please tell me if its oke:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 18:50:30, on 24-6-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\logon.scr

C:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O9 - Extra button: Real.com (HKLM)

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8139.1508101852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

Share this post


Link to post
Share on other sites

Glad we could help :D

 

 

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0