Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - Mikkel


  • This topic is locked This topic is locked
7 replies to this topic

#1 mjn

mjn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 18 July 2004 - 03:48 AM

Hi,

I have been hijacked by CWS - the "about:blank" version.

I have tried Adaware and Spybot without result. I have also tried the CWShredder without result. The changing of my homepage to about:blank keeps coming back.

I attach the log from HJT (Anything related to velux (my company) is ok).

I thank you in advance.

Logfile of HijackThis v1.97.7
Scan saved at 10:20:25, on 18-07-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\system32\srvany.exe
c:\winnt\system32\DanaReg.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\AEIWLSTA.EXE
C:\WINNT\system32\S3Tray2.exe
C:\WINNT\LTSMMSG.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\WINNT\Logi_MwX.Exe
C:\WINNT\system32\internat.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 5\PcSync.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinVNC.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
H:\PROFILE\DeskTop\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.VELUX.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.VELUX.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by VELUX
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.163.136.20:3129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;172.16.*;192.168.*;193.163.118.*;193.163.136.*;193.163.137.*;193.163.140.*;193.163.141.*;193.163.142.*;193.163.143.*;193.163.164.*;193.163.165.*;193.163.166.*;193.163.167.*;195.41.239.*;*.VELUX.*;*.VELUX-Canada.*;*.VeluxFondene.*;.VELFAC.*;*.VELSUN.*;*.employeefoundation.com;*.velux&people.*;www.vendorportal.dk; *.welcometovelux.org;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.VELUX.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {84B3825B-74CE-45A6-BCF1-C295E2614698} - C:\WINNT\system32\jle.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [Afterbat] c:\DanaNet\Afterbat.exe
O4 - HKLM\..\Run: [DananetDtm] C:\Dananet\DananetDtm.exe /DK
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Nokia PC Sync.lnk = C:\Program Files\Nokia\Nokia PC Suite 5\PcSync.exe
O4 - Global Startup: WinVNC.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: JavaConnect - http://dk-same01.velux.grp/sametime/javaco...JavaConnect.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://dk-same01.velux.grp/sametime/stmeet...gRoomClient.cab
O16 - DPF: {2D827566-0DFD-4ABA-A396-F66F8FA9C44F} (WmMenuCtrl Class) - http://194.192.110.165/WmWebPopupMenu.dll
O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - http://dk-same01.velux.grp/sametime/javaco...STConnAgent.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://dk-same01.velux.grp/sametime/stmeet...STJNILoader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = velux.grp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = velux.grp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = velux.grp

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 18 July 2004 - 09:35 AM

Please follow these steps, even if you have done some of them already, in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers.

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here or one at the Bleeping Computer forums where I am most often, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link in my signature below.

#3 mjn

mjn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 21 July 2004 - 04:39 AM

Hi,

I just ran Adaware and spybot. The stuff that was found was fixed/removed. The problem (described in the top) is still existing.

Thank you for your help.

Here is a new hjt log:

Logfile of HijackThis v1.98.0
Scan saved at 11:33:51, on 21-07-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\system32\srvany.exe
c:\winnt\system32\DanaReg.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\AEIWLSTA.EXE
C:\WINNT\system32\S3Tray2.exe
C:\WINNT\LTSMMSG.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
c:\dananet\Minstuser.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 5\PcSync.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinVNC.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Notes_6x\nlnotes.exe
C:\Program Files\Notes_6x\ntaskldr.EXE
C:\Program Files\Hewlett-Packard\OpenView\service desk 4.5\client\bin\sdlaunch.exe
C:\WINNT\system32\jview.exe
C:\Program Files\SAP6xx\sapgui\sapgui.exe
C:\Program Files\SAP6xx\sapgui\sapfewgsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\SAP6xx\sapgui\sapgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\UltimateZip\uzqkst.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.VELUX.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.VELUX.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.VELUX.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by VELUX
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.163.136.20:3129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;192.168.*;193.163.118.*;193.163.136.*;193.163.137.*;193.163.166.*;195.41.239.*;*.VELUX.*;*.VELUX-Canada.*;*.VeluxFondene.*;*.VELFAC.*;*.VELSUN.*;www.vendorportal.dk; www.welcometovelux.org;*.velux&people.*;<local>
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {84B3825B-74CE-45A6-BCF1-C295E2614698} - C:\WINNT\system32\jle.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [Afterbat] c:\DanaNet\Afterbat.exe
O4 - HKLM\..\Run: [DananetDtm] C:\Dananet\DananetDtm.exe /DK
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - User Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Nokia PC Sync.lnk = C:\Program Files\Nokia\Nokia PC Suite 5\PcSync.exe
O4 - Global Startup: WinVNC.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: JavaConnect - http://dk-same01.velux.grp/sametime/javaco...JavaConnect.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://dk-same01.velux.grp/sametime/stmeet...gRoomClient.cab
O16 - DPF: {2D827566-0DFD-4ABA-A396-F66F8FA9C44F} (WmMenuCtrl Class) - http://194.192.110.165/WmWebPopupMenu.dll
O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - http://dk-same01.velux.grp/sametime/javaco...STConnAgent.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://dk-same01.velux.grp/sametime/stmeet...STJNILoader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = velux.grp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = velux.grp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = velux.grp
O18 - Protocol: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP6xx\Controls\saphtmlp.dll
O18 - Protocol: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - C:\Program Files\SAP6xx\Controls\saphtmlp.dll
O18 - Filter: text/html - {5AD61044-4488-4B1F-8272-A61962D7C65F} - C:\WINNT\system32\jle.dll
O18 - Filter: text/plain - {5AD61044-4488-4B1F-8272-A61962D7C65F} - C:\WINNT\system32\jle.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 21 July 2004 - 01:05 PM

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

#5 mjn

mjn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 21 July 2004 - 04:19 PM

As written at the top of my post I already tried CWShredder without result.

Best regards
Mikkel Juul-Nyholm.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 21 July 2004 - 10:14 PM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#7 mjn

mjn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 22 July 2004 - 03:36 AM

Hi

The value field for the requested registry entry is empty. Please see attached Word document.

Best regards
Mikkel Juul-Nyholm


Edited: Removed doc file to save space

Edited by Grinler, 22 July 2004 - 09:44 AM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 22 July 2004 - 09:44 AM

Do you know what these are? Dananet?

O4 - HKLM\..\Run: [Afterbat] c:\DanaNet\Afterbat.exe
O4 - HKLM\..\Run: [DananetDtm] C:\Dananet\DananetDtm.exe /DK


I want you to fix some of those entries. Please do the following:

Copy the text in the quote box below to notepad. Name the file nofilter.reg and change the save as type to all All files. Then save the file to the desktop.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_CLASSES_ROOT\CLSID\{5AD61044-4488-4B1F-8272-A61962D7C65F}]


Do not run this file yet, as we will run it later in the removal process.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jle.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O2 - BHO: (no name) - {84B3825B-74CE-45A6-BCF1-C295E2614698} - C:\WINNT\system32\jle.dll
O18 - Filter: text/html - {5AD61044-4488-4B1F-8272-A61962D7C65F} - C:\WINNT\system32\jle.dll
O18 - Filter: text/plain - {5AD61044-4488-4B1F-8272-A61962D7C65F} - C:\WINNT\system32\jle.dll


Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINNT\system32\jle.dll

Now double click on the nofilter.reg file we created earlier. Say yes when it asks if you would like to merge it.

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot and post a new log and with the answer about dananet.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users