Jump to content


Photo

about:blank removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 05:29 PM

Should I follow these instructions for removal?
Thanks.

Updated Solution, people were having problems deleting the .dll file from safe mode/Command Prompt Only
Download reglite
install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
Rename the windows folder back to its original name "Windows".
Run SpyBot, Ad-Aware and CWShredder
Check the following three links for instructions on downloading and running the applications listed:
How to use Spybot to remove Spyware
How to use Ad-Aware to remove Spyware
How to Remove CoolWebSearch with CoolWeb Shredder
Next step will be to remove this dll file so make sure you have it noted down.
Step 1
Download KillBox
Unzip and start the application
Paste in the dir <path and name of dll as found in the appinit value box> i.e C:\Windows\System32\nameofdll.dll
Menu Select Action -> Delete on Reboot
Select File -> Add file <It should add the path automatically>
<Same Window> Select Action -> Process and Reboot
If Step 1 didn't work
Step 2
Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
Carry out Step 1 again
Restart your computer in safemode
Open cmd window again as before
Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
While in safe mode (How do I boot into "Safe" mode?), run the 3 ad-removal programs again, just to make sure all traces are gone.
Boot up pc as normal and you should be trouble free.



#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 05:42 PM

How should we know? :mellow:
-Which OS are you using?
-Were you able to identify the file in reglite?
It won't always show there, depending on current variant(s)
Some of the info is outdated.

*If you are using Win2K/XP only:
Do this:
Download 'Find-All.zip' from:
http://www10.brinkst...last/pvtool.htm

Unzip it, first!
DoubleClck on the "Find-All.bat" file inside, follow
instructions, wait for the scan to complete and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 05:55 PM

I am running WIN2K.
The file is C:\WINNT\system32\respo.dll
I used reglite to remove it.

Here is the Find-All log.
What should I do next?
Thanks.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--


Wed May 19 17:51:23 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Main" (B0E1:863A) - FS:NTFS clusters:4k
Total: 103 811 223 552 [97G] - Free: 97 153 716 224 [90G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q828750;Q330994;Q832894;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
5:51pm up 0 days, 1:29

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\RESPO.DLL +++ File read error
\\?\C:\WINNT\System32\RESPO.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
1600fc 2064 high Windows Task Manager
905f2 1068 norm SysFader
4003c 1068 norm _Shell_TrayWnd
804bc 948 norm SysFader
20072 320 norm LWBZoomWnd
20070 320 norm LWBSMARTWND
10016 228 high NetDDE Agent
d065e 2068 norm C:\WINNT\system32\cmd.exe
20462 948 norm WebMail - Main: 258/75 - Microsoft Internet Explorer
20198 1540 norm America Online
e0248 1068 norm Timer
4054c 1812 norm MCI command handling window
5038a 1812 norm DDE Server Window
20676 1068 norm MCI command handling window
204a8 948 norm MCI command handling window
1049a 948 norm DDE Server Window
10222 1540 norm Xprt Message Window
20194 1540 norm AXTimer
2018a 1532 norm shellmon
2019c 1540 norm DDE Server Window
1017a 1244 norm NetscapeDispatchWnd
10178 1244 norm DDE Server Window
50174 1244 norm Mozilla:DNSWindow
10158 1484 norm hp psc 1200 series - Status
10148 1220 norm Roxio Easy CD & DVD Creator Home
300e2 1052 norm AVG Control Center - FREE Edition
2007c 1244 norm XPCOM:EventReceiver
20074 1372 norm PlayListMonitorWnd
20096 1000 norm RxMonSysTrayWnd
300c2 1260 norm AiODeeDeeNotificationWindow
300ac 1100 norm Drag-to-Disc Disc Preparation
50114 1100 norm Drag-to-Disc
400fa 1100 norm DrgToDsc
200c4 1284 norm About WinZip Quick Pick
2005a 320 norm Mouse32AForm
3004e 320 norm Mouse32a
20054 1056 norm QTPlayer Tray Icon
2004a 1068 norm CSC Notifications Window
2011a 1068 norm Power Meter
60118 1068 norm Connections Tray
3002e 1068 norm MS_WebcheckMonitor
20110 1068 norm DDE Server Window
10028 620 norm NVSVCPMMWindowClass
10026 712 norm SYSTEM AGENT COM WINDOW
1001a 228 high MM Notify Callback
20116 1000 norm ECDInvisibleWindow
20170 1484 norm Task Status
10472 948 norm SysFader
30688 1068 norm SysFader
c0240 1812 norm SysFader
a0602 1068 norm Find-All
13026e 948 norm SWI Forums -> about:blank removal - Microsoft Internet Explorer
140246 1812 norm Chase - Microsoft Internet Explorer
107dc 1936 norm Data Editor
107d4 1936 norm Select a registry key...
307b2 1936 norm Key Properties
207b6 1936 norm About Registrar Lite
20794 1936 norm ProgressForm
3075c 1936 norm Registrar Lite - http://www.resplendence.com
107e4 1936 norm Bookmarks
107d0 1936 norm Replace
207b4 1936 norm Performing Backup
307ac 1936 norm Undo
40780 1936 norm System Info and Action Log
20792 1936 norm Get more features !
207a2 1936 norm Search
30788 1936 norm Options
4078e 1936 norm Registrar
200f0 1068 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{302D217E-C266-4001-AAD5-09A6E199BD91}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{420BBEB3-B279-42E7-B037-04975848D30B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{810FA8C4-7CD3-4B97-BD6E-748909484970}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E7F39E5-D27C-496F-8F6C-3BD17D027BC2}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 06:08 PM

Do you see this section in your log?

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\RESPO.DLL +++ File read error
\\?\C:\WINNT\System32\RESPO.DLL +++ File read error

That means the file is still loaded!

Follow these steps exactly as described:

***Step 1***
-Run reglite.exe : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-DoubleClick "AppInit_DLLs" value on the right pane,
and clear the data value:
C:\WINNT\System32\RESPO.DLL-< delete this line ,
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Search for this file and make sure it's visible:
C:\WINNT\System32\RESPO.DLL<-

Try to delete it, you are likely to get access denied!

Post back with all details and another run of 'Find-All.bat.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 06:30 PM

There is no value in AppInit_DLLs for me to clear now.
What do I do now?
Thanks for the help.


--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--


Wed May 19 18:27:23 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Main" (B0E1:863A) - FS:NTFS clusters:4k
Total: 103 811 223 552 [97G] - Free: 97 155 387 392 [90G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q828750;Q330994;Q832894;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
6:27pm up 0 days, 0:12

*Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\RESPO.DLL +++ File read error
\\?\C:\WINNT\System32\RESPO.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
20038 948 norm _Shell_TrayWnd
20460 948 norm SysFader
30438 948 norm SysFader
104e4 948 norm SysFader
3026a 948 norm SysFader
1008e 1096 norm LWBZoomWnd
1008c 1096 norm LWBSMARTWND
10016 228 high NetDDE Agent
5046c 1596 norm C:\WINNT\system32\cmd.exe
303a6 948 norm Timer
302d8 1564 norm MCI command handling window
30246 1564 norm DDE Server Window
1025a 948 norm MCI command handling window
1019e 872 norm AXTimer
20190 1480 norm shellmon
301d6 872 norm Xprt Message Window
2018a 872 norm DDE Server Window
10176 1176 norm NetscapeDispatchWnd
10174 1176 norm DDE Server Window
50170 1176 norm Mozilla:DNSWindow
10154 876 norm hp psc 1200 series - Status
10136 1116 norm Roxio Easy CD & DVD Creator Home
200fe 1140 norm AVG Control Center - FREE Edition
100e2 1300 norm About WinZip Quick Pick
100e0 1176 norm XPCOM:EventReceiver
2007e 1272 norm AiODeeDeeNotificationWindow
100ca 1236 norm PlayListMonitorWnd
100aa 576 norm Drag-to-Disc Disc Preparation
2009a 576 norm Drag-to-Disc
10094 576 norm DrgToDsc
100c4 1108 norm RxMonSysTrayWnd
10098 1160 norm QTPlayer Tray Icon
10088 1096 norm Mouse32AForm
10084 1096 norm Mouse32a
1007c 948 norm CSC Notifications Window
10072 948 norm Power Meter
1006e 948 norm Connections Tray
1006c 948 norm MS_WebcheckMonitor
2003c 948 norm DDE Server Window
10026 640 norm SYSTEM AGENT COM WINDOW
10024 556 norm NVSVCPMMWindowClass
1001a 228 high MM Notify Callback
1010c 1108 norm ECDInvisibleWindow
2016c 876 norm Task Status
30292 1564 norm SysFader
10406 948 norm SysFader
20410 948 norm system32
40262 948 norm Updates
30424 948 norm Program Files
30282 1564 norm SWI Forums -> about:blank removal - Microsoft Internet Explorer
40430 948 norm Find-All
20198 872 norm America Online
1004c 948 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 06:39 PM

Well, it looks as if the file is still loaded!

Find it!
C:\WINNT\System32\RESPO.DLL
Are you able to find it on your system?
Are you able to delete it?

If not, it looks like the file is loaded but the
value is no longer visible.

In addition, in reglite 'AppInit_Dlls' when you
doubleCllick, what is listed
under Size in the data editor?
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 06:41 PM

I found it but it won't let me delete it.
Size: 1

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 07:02 PM

Ok. This is due to the 'special' permissions set on the file.
You need to follow these steps now, exactly as described:

***Step 2***
Go to the same -Find-All link and download:
"Salamand.zip"
-Unzip the salamand.zip folder, run salamand.exe
Follow these menu options exactly as described:

*Top menu "left">Change Drive>Click C:
*"Right">Change Drive>Click C
*"Commands">Create Directory...>Paste>junk>ok.
*"options">check "Command Line"
*"Commands">Change Directory>paste:
C:\WINNT\System32
*"Commands">Find Files..>edit:
*In 'search for' paste: RESPO.DLL
uncheck 'include subdirectories'
hit 'ok' and 'start'
*On file found hit -> 'focus'
*Top menu "files"->move/rename, type:
C:\junk
hit 'ok'
--------------------------------------------------------
Into the visual bottom narrow box, with:
--------------------------------------------------------
C:\>
--------------------------------------------------------
Copy &paste the following 2 commands, one at a time,
hit enter.
You should get (processed..) confirmation on first,
and nothing on the second.
Close the prompt box after each
command return.
(Command #1) (copy entire hilited command)

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f

(Command #2)


attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111

Close the program, go to The C:\junk<- folder, and Zip it up!!
Submit the zipped junk on the same page by
clicking on the 'files for submissions link.
It will open you email client, navigate and add
it as attachment! Thanks ;)

Lastly, delete both junk folder(s) from C:

Post another (fresh) Find-All output when done!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 07:17 PM

-------------------------------------------------------
Into the visual bottom narrow box, with:
--------------------------------------------------------
C:\>
--------------------------------------------------------
Copy &paste the following 2 commands, one at a time,
hit enter.
You should get (processed..) confirmation on first,
and nothing on the second.
Close the prompt box after each
command return.
(Command #1) (copy entire hilited command)

cacls %SYSTEMDRIVE%\junk\*.dll /t /e /g Administrators:f & cacls %SYSTEMDRIVE%\junk /t /e /g Administrators:f

(Command #2)


attrib -r \\?\%SYSTEMDRIVE%\junk\*.dll & ren \\?\%SYSTEMDRIVE%\junk\*.dll *.111

Close the program, go to The C:\junk<- folder, and Zip it up!!
Submit the zipped junk on the same page by
clicking on the 'files for submissions link.
It will open you email client, navigate and add
it as attachment! Thanks ;)

Lastly, delete both junk folder(s) from C:

Post another (fresh) Find-All output when done!

I am little lost at this step.
My line at the bottom shows C:\WINNT\system32\> instead of C:\>

Do I paste the commands onto that line and hit return?

Thanks again for the help.

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 07:23 PM

Did you folllw the steps as I explained?
Click once on "left" to change to C:>
The command should start with it!

Also be sure junk file was created....In C:\
And the file is no longer in system32 folder.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 07:36 PM

I get this when I run the second comman.
I don't see the file in system32 anymore.

File not found - \\?\C:\junk\*.dll
The system cannot find the file specified.

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 08:05 PM

Ok, but is it IN the C:\junk folder?
The file was renamed/replaced.

Go to the C:\junk folder and post back what's inside it!

It should contain this file now:
RESPO.111
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 08:10 PM

Yes.
I have the C:\junk folder with respo.111 file in it.

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 08:23 PM

:D Success! :D

I'd appreciate if you'd submit the file as I posted.
And when done, delete all copies of it including the 'junk' folder(s)

Last step is to *repair your current
security settings on the 'Windows'
key.
Because it was renamed, Especialy in Win2K it's defaults
settings are lost and set to inherit by all groups.
As you can see, you have the 'everyone' group
assigned in the last section on your log and
that's a 'minor' security risk.

For this matter, it's best if you'd use windows
own registry editor!

Go to start/run/type:
regedt32
Hit enter.
Expand the exact same key as in reglite.
You need to DoubleClick to expand.

HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft\
->Windows NT->CurrentVersion->Windows
Hilite Windows Subfolder!
In regedt32 top menu:
Security/permissions:
UNcheck the lower box:
"Allow inheritable permissions from..."
and hit -> 'COPY' on the prompt! (that will protect the key)

Next, Select the "everyone" group listed
there and remove!

*Click Advanced tab,

*"power users" group< view/edit
And reset to defauls by deselecting
ALL boxes BUT the following:
-Query value
-Enumerate Subkeys
-Notify
-Read Control
Above should remain checked!

Normally, the power users have more
power on most Subkeys but not on the Windows key.(In 2K)
It was set that way after you renamed it.
Hit ok as required.
*Don't touch anything else there!

I think you're all set but post
another (fresh) Find-All output!

Edited by freeatlast, 19 May 2004 - 08:28 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 08:58 PM

Thanks for the help. I really appreciate it.


--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--


Wed May 19 20:58:31 2004 -- Results:
*System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "Main" (B0E1:863A) - FS:NTFS clusters:4k
Total: 103 811 223 552 [97G] - Free: 97 145 815 040 [90G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q828750;Q330994;Q832894;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


*PC uptime:
8:58pm up 0 days, 2:43

*Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
70460 948 norm SysFader
20038 948 norm _Shell_TrayWnd
1a048a 500 norm SysFader
50434 1380 norm SysFader
1008e 1096 norm LWBZoomWnd
1008c 1096 norm LWBSMARTWND
10016 228 high NetDDE Agent
30282 1564 norm SWI Forums -> Replying in about:blank removal - Microsoft Internet Explorer
20198 872 norm America Online
80622 1848 norm C:\WINNT\system32\cmd.exe
e0466 948 norm Find-All
d052e 500 norm MSN Money - HYPD Quote: Investing - Microsoft Internet Explorer
170400 1380 norm IntelliFormProxy
404e0 1380 norm MSN Money - CADA Chart: Investor - Microsoft Internet Explorer
80278 1176 norm WebMail - Read: 237/58 - Mozilla
2001bc 948 norm Timer
7045c 948 norm _ToolbarWindow32
40456 500 norm MCI command handling window
1b046c 500 norm DDE Server Window
304fe 1380 norm MCI command handling window
304f0 1380 norm DDE Server Window
302d8 1564 norm MCI command handling window
30246 1564 norm DDE Server Window
1025a 948 norm MCI command handling window
1019e 872 norm AXTimer
20190 1480 norm shellmon
301d6 872 norm Xprt Message Window
2018a 872 norm DDE Server Window
10176 1176 norm NetscapeDispatchWnd
10174 1176 norm DDE Server Window
50170 1176 norm Mozilla:DNSWindow
10154 876 norm hp psc 1200 series - Status
10136 1116 norm Roxio Easy CD & DVD Creator Home
200fe 1140 norm AVG Control Center - FREE Edition
100e2 1300 norm About WinZip Quick Pick
100e0 1176 norm XPCOM:EventReceiver
2007e 1272 norm AiODeeDeeNotificationWindow
100ca 1236 norm PlayListMonitorWnd
100aa 576 norm Drag-to-Disc Disc Preparation
2009a 576 norm Drag-to-Disc
10094 576 norm DrgToDsc
100c4 1108 norm RxMonSysTrayWnd
10098 1160 norm QTPlayer Tray Icon
10088 1096 norm Mouse32AForm
10084 1096 norm Mouse32a
1007c 948 norm CSC Notifications Window
10072 948 norm Power Meter
1006e 948 norm Connections Tray
1006c 948 norm MS_WebcheckMonitor
2003c 948 norm DDE Server Window
10026 640 norm SYSTEM AGENT COM WINDOW
10024 556 norm NVSVCPMMWindowClass
1001a 228 high MM Notify Callback
1010c 1108 norm ECDInvisibleWindow
2016c 876 norm Task Status
30292 1564 norm SysFader
10406 948 norm SysFader
1004c 948 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(CI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
(CI) ALLOW Read BUILTIN\Power Users
(CI) ALLOW Full access NT AUTHORITY\SYSTEM
(CI) ALLOW Read BUILTIN\Users

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Full access BUILTIN\Administrators
Read BUILTIN\Power Users
Full access NT AUTHORITY\SYSTEM
Read BUILTIN\Users




#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 09:11 PM

wonderful! B)
You managed to set up the security settings perfectly!

And log is cleaned up!

Now it's time to:
-Run CWShredder
-Run Ad-Aware6

Have them fix any problems found.
You should also download and post hijackthis log.
All links are in the FAQs.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 dave2001

dave2001

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 10:44 PM

It is is easy to setup the setting perfectly when the intructions are so good.


Logfile of HijackThis v1.97.7
Scan saved at 9:38:25 PM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\System32\SCardSvr.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: DigiChat Applet - http://itsajeep.org/...s/Client_IE.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab

#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 19 May 2004 - 11:40 PM

Log is clear as well!

Thanks for the file, it was indeed identical to some of my samples!

Stay out of trouble ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 May 2004 - 12:01 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button