Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About:blank


  • This topic is locked This topic is locked
12 replies to this topic

#1 mjuul1

mjuul1

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 09 June 2004 - 04:59 PM

I do also have a "About:blank"-problem.

Here is my log-file for HijackThis:
Logfile of HijackThis v1.97.7
Scan saved at 23:55:45, on 09-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\Programmer\WebSpeed Sikkerhedspakke\DFW\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\MMTray.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\Programmer\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Programmer\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\Program\BackWeb-7791805.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Outlook Express\msimn.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Martin\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tdconline.dk/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07BF9C31-031D-4DDC-94EC-0C10E3160061} - C:\WINDOWS\System32\neflji.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tdconline.dk/start
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://skinfakse.certifikat.dk/csp/authent...Install0703.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7872.5190393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

What do I do next?

Martin

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 09 June 2004 - 08:34 PM

Step 1. Download DLLFix from:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix and double-click on start.bat

Step 5. Run Option 1 by pressing 1. The program will now start searching.

Step 6. Once the search is complete a notepad will open called output.txt. Post the contents as a reply to this post.

#3 mjuul1

mjuul1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 10 June 2004 - 02:39 AM

Here is my output.txt file:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

10-06-2004
09:14

System Info:

Microsoft Windows XP [version 5.1.2600]
C: "" (5095:C148) - FS:NTFS clusters:4k
Total: 39 950 184 448 [37G] - Free: 21 678 956 544 [20G]


*IE version and Service packs:
6.0.2800.1106 C:\Programmer\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Programmer\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q820223;Q828750;Q824145;Q832894;Q837009;Q831167;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\HLPECAK.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLPECAK.DLL +++ File read error


Scanning for main Hijacker:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07BF9C31-031D-4DDC-94EC-0C10E3160061}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{6284A479-ACE3-4853-A9AF-3D2F7875833F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{6284A479-ACE3-4853-A9AF-3D2F7875833F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Brugere
(ID-IO) ALLOW Read BUILTIN\Brugere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Brugere
Full access BUILTIN\Administratorer
Full access NT AUTHORITY\SYSTEM


- Martin

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 10 June 2004 - 08:06 AM

Follow these steps:

Run start.bat again but this time choose option 2.
Then choose option 1.

When it asks for the filename enter: C:\WINDOWS\System32\HLPECAK.DLL
and press return.

Let it do its thing. WHen it asks to reboot do so.

Then post a new Output.txt (do option 1 in start.bat again ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

#5 mjuul1

mjuul1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 10 June 2004 - 12:06 PM

I have done the what you've said and here is the log.txt:

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 3.01 060504
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
10-06-2004
18:48

Backing up Registry Hive

Handlingen blev fuldført.

Deleting Windows Key

Handlingen blev fuldført.

Adding Test Windows Key

Handlingen blev fuldført.

Restoring temp Values Key

Handlingen blev fuldført.

Deleting Bad Appinit Value

Handlingen blev fuldført.


Backup of Modified Hiv

Handlingen blev fuldført.

Deleting test Windows key

Handlingen blev fuldført.

Deleting Filter text
Running from C:\Documents and Settings\Martin\Download\dllfix
Scanning for Locked File
Unlocking Locked File

C:\WINDOWS\System32\HLPECAK.DLL
Unlocking Locked File

C:\WINDOWS\System32\HLPECAK.DLL
Scanning For main hijacker.
Found Main Hijacker Dll:C:\WINDOWS\System32\NEFLJI.DLL
Md5 tested As 4E24A18F3A557AF479219E47E27B8B59
Processing File Manually
C:\WINDOWS\system32\HLEPCAK.DLL
Md5 Check of C:\WINDOWS\system32\HLEPCAK.DLL

Md5 tested As 4E24A18F3A557AF479219E47E27B8B59
File was found but md5 didnt match
MD5 was: 4E24A18F3A557AF479219E47E27B8B59
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\HLEPCAK.DLL>

SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: Den angivne fil blev ikke fundet.


File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Martin\Download\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

Adding Back Windows Key

Handlingen blev fuldført.

Restoring Registry Hive

Handlingen blev fuldført.


Restoring Cleaned Appinit Value

Handlingen blev fuldført.



And here is the output.txt:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

10-06-2004
19:00

System Info:

Microsoft Windows XP [version 5.1.2600]
C: "" (5095:C148) - FS:NTFS clusters:4k
Total: 39 950 184 448 [37G] - Free: 22 456 860 672 [21G]


*IE version and Service packs:
6.0.2800.1106 C:\Programmer\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Programmer\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q820223;Q828750;Q824145;Q832894;Q837009;Q831167;



Locked or 'Suspect' file(s) found...


Scanning for main Hijacker:
File found was C:\WINDOWS\System32\NEFLJI.DLL
Md5 tested As 4E24A18F3A557AF479219E47E27B8B59


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07BF9C31-031D-4DDC-94EC-0C10E3160061}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{F5465671-A2F4-4C16-926F-2D5FBDD8881A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{F5465671-A2F4-4C16-926F-2D5FBDD8881A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Brugere
(ID-IO) ALLOW Read BUILTIN\Brugere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Brugere
Full access BUILTIN\Administratorer
Full access NT AUTHORITY\SYSTEM




And the HijackThis-log:

Logfile of HijackThis v1.97.7
Scan saved at 19:06:14, on 10-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\Program\BackWeb-7791805.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\Programmer\WebSpeed Sikkerhedspakke\DFW\Program\fsdfwd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\MMTray.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Programmer\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Martin\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tdconline.dk/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07BF9C31-031D-4DDC-94EC-0C10E3160061} - C:\WINDOWS\System32\neflji.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tdconline.dk/start
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://skinfakse.certifikat.dk/csp/authent...Install0703.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7872.5190393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

- Martin

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 10 June 2004 - 01:27 PM

Ok now please run ad-aware and make sure you update it before you scan. Clean up all that it finds and then post a new hijackthis log here please.

A tutorial on using ad-aware can be found here:

AD-AWARE- Using Ad-aware to remove Spyware/Hijackers from Your Computer.

#7 mjuul1

mjuul1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 10 June 2004 - 01:43 PM

Ok, after runnig Ad-aware I have made this HijackThis-log:

Logfile of HijackThis v1.97.7
Scan saved at 20:40:41, on 10-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\Program\BackWeb-7791805.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\Programmer\WebSpeed Sikkerhedspakke\DFW\Program\fsdfwd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\MMTray.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Programmer\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Real\RealOne Player\realplay.exe
C:\Programmer\Fælles filer\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Martin\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tdconline.dk/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07BF9C31-031D-4DDC-94EC-0C10E3160061} - C:\WINDOWS\System32\neflji.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tdconline.dk/start
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://skinfakse.certifikat.dk/csp/authent...Install0703.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7872.5190393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab


- Martin

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 10 June 2004 - 03:12 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\neflji.dll/sp.html (obfuscated)
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {07BF9C31-031D-4DDC-94EC-0C10E3160061} - C:\WINDOWS\System32\neflji.dll

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories
C:\WINDOWS\system32\HLEPCAK.DLL
C:\WINDOWS\System32\NEFLJI.DLL

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#9 mjuul1

mjuul1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 10 June 2004 - 05:08 PM

Well now it seems like the startpage remains to be the same.

Here is the latest log:

Logfile of HijackThis v1.97.7
Scan saved at 00:05:25, on 11-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\MMTray.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\Programmer\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\Program\BackWeb-7791805.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\Programmer\WebSpeed Sikkerhedspakke\DFW\Program\fsdfwd.exe
C:\Documents and Settings\Martin\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tdconline.dk/start
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tdconline.dk/start
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://skinfakse.certifikat.dk/csp/authent...Install0703.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7872.5190393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

- Martin

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 10 June 2004 - 06:42 PM

Lets not celebrate yet, though you do have my favorite site as your start page :thumbsup:

Fix this last entry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Reboot your computer and post a new log.

#11 mjuul1

mjuul1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 11 June 2004 - 02:28 AM

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 09:22:45, on 11-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programmer\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\System32\MMTray.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\Programmer\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\WebSpeed Sikkerhedspakke\backweb\7791805\Program\BackWeb-7791805.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Programmer\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\Programmer\WebSpeed Sikkerhedspakke\DFW\Program\fsdfwd.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Martin\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tdconline.dk/start
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmer\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmer\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmer\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programmer\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tdconline.dk/start
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {71AEE1E3-1B65-41FA-BBD2-565CBD1359D8} (Util Class) - https://skinfakse.certifikat.dk/csp/authent...Install0703.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7872.5190393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

- Martin

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 11 June 2004 - 07:51 AM

Great job. the log looks great now.

I advise you to install the latest version of SPybot and install teatimer when it asks. If you have installed it already do not worry about it.

I would also advise you to install spywareblaster.

I have provided links to two tutorials on setting up both applications.

Using SpywareBlaster to Protect your Computer

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.

#13 mjuul1

mjuul1
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:Denmark
  • Local time:10:16 PM

Posted 11 June 2004 - 08:36 AM

Well, thanks a lot. I am really grateful for your help!

- Martin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users