• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
comtek5

Help Please

11 posts in this topic

Could someone please read my log file and give me some advice? I have been fighting this for over two weeks and not making any progress. Every 40 secs. or so I get a pop up that wants to instal a bho called oekjl.dll. I decline, then a pop up tells me my home page wants to be changed to About:blank, I decline this then it attempts to change my search page, then about 40 secs later it all starts over. I scanned with hijack this and told it to fix the first 8 lines in the log, but it still comes back.

 

Any help would be greatly appreciated.

 

My Log.....

 

Logfile of HijackThis v1.97.7

Scan saved at 5:10:00 PM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\BigFix\BigFix.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\slrundll.exe

C:\HiJackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {178D8429-6728-4975-AA5F-6820C63A0436} - C:\WINDOWS\System32\oekjl.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37904.878287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D192613B-DEC7-4094-83D3-BE9F92EF0196}: NameServer = 208.24.203.253 208.8.11.253

Share this post


Link to post
Share on other sites

Hi comtek5,

 

Go here and download this self extracting file:

http://tools.zerosrealm.com/dllfix.exe

 

Save it to your desktop, double click dllfix.exe and follow the prompts.

 

Go to the newly created dllfix folder on your desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file. Notepad will open with a report in it. Copy the contents of the report back into this thread along with an updated hijackthis log.

Edited by OSC

Share this post


Link to post
Share on other sites

Hi comtek5,

 

This line in your running processes:

C:\WINDOWS\slrundll.exe

 

tells me you have a modem installed, but there is no trace of it in your hijackthis log. I noticed you left the chat room and I'm assuming you rebooted your computer by now.

 

Making a couple of assumptions here - I'm pretty sure you were connected to the Internet on dial-up while in the chat room and I know you said that you fixed some things on your own (not encouraged) and it looks like you blew that entry away, meaning, if your reading this, you either reinstalled that modem or you're reading this from a different computer.

 

I suppose it's possible that the modem will still work, but I'm doubtful.

 

If your reading this and that computer is still broken, restore all hijackthis backups (start hijackthis, click Config, then Backups) Then try to connect to the internet.

Share this post


Link to post
Share on other sites

Thanks OSC for your reply and help. I am on modem dialup but have not really had any problem with that. I did have to leave for awhile but had no problem getting back on and modem is working fine. I am attaching an updated HJT log and the scan log for dllfix.exe. Thanks in advance for any assistance you can give me.

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Mon 05/24/2004

11:01 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (0CF9:863C) - FS:NTFS clusters:4k

Total: 60 019 834 880 [56G] - Free: 50 928 177 152 [47G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

11:01pm up 0 days, 0:22

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

3017a 1220 norm SysFader

1009a 1220 norm Start Menu

3003a 1220 norm _Shell_TrayWnd

201ac 260 norm Information Message from PrintKey 2000

100ca 1904 norm PLAYER

100f0 1904 norm PLAYER

10028 560 high NetDDE Agent

6026c 3936 norm C:\WINDOWS\System32\cmd.exe

100ba 1920 norm WinPatrol

40246 1220 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix

201aa 1968 norm frmDialogMedium

201a2 1968 norm frmDialogSmall

201a0 1968 norm Parent Dialog Form

20242 1968 norm Downloads Screen

10204 1968 norm frmssSpyNews

101fe 1968 norm First time use

101fa 1968 norm About Screen

101f2 1968 norm Quarantine Directory screen

101e2 1968 norm Options Screen

101da 1968 norm frmssResults

20146 1968 norm Removal Screen

101be 1968 norm frmssSweep

101ba 1968 norm frmssMainScreen

2012e 1968 norm Webroot Spy Sweeper

10120 1968 norm frmSplashScreen

10114 1968 norm Spysweeper

402da 1960 norm MSNMSGRPassportLogin

10346 1960 norm GDLSP_ASYNCWND_CLASS

3025a 1960 norm MSBLNetConn

20308 2296 norm Auto Update Client Window

20314 1220 norm MCI command handling window

201ae 1348 norm lxbk POR Monitor

20122 260 norm PrintKey 2000

10160 260 norm PrintKey 2000 v5.10

101c2 2032 norm BigFix

101de 1220 norm Connections Tray

101b6 1960 norm ActiveMovie Window

101b4 1960 norm ActiveMovie Window

1018c 1896 norm Logitech ScrHelp

20124 1960 norm MSP PNP Notification Window

20128 1896 norm Logitech GetMessage Hook

40126 1896 norm Magellan MSWHEEL

1017c 1220 norm Power Meter

10174 1960 norm CRTCClient

1016a 1348 norm LEXLMPM

10164 1912 norm 77c

2015e 1896 norm LogiTrayMgrWnd

20158 1896 norm Logitech E/M Executive

1015c 1960 norm CRTCIMService

10172 1220 norm MS_WebcheckMonitor

400e4 128 norm LXBKBMON

100fc 1960 norm DDE Server Window

100f6 1904 norm Movie

100e6 1904 norm Movie

100d2 1904 norm KEYBOARD HOTKEY SETUP

100cc 1904 norm Movie

100be 1904 norm HOTKEY KEYBOARD

100c4 1944 norm LXBKBMGR

100b6 1912 norm QTPlayer Tray Icon

100a2 1664 norm SystemSuite Task Manager

10080 1340 norm

1007c 1340 norm LexPPS BCE Comm Window

10090 1220 norm Program Manager

500d8 1920 norm M

100d6 1920 norm Default IME

3003c 1220 norm M

30038 1220 norm Default IME

70288 1220 norm M

a022e 1220 norm Default IME

10130 1968 norm M

10116 1968 norm Default IME

10348 1960 norm Default IME

20304 2296 norm Default IME

10316 1220 norm Default IME

102e0 284 norm Default IME

201b0 1348 norm Default IME

10162 260 norm Default IME

1021a 1960 norm Default IME

2014a 2032 norm M

101c4 2032 norm Default IME

10178 1960 norm Default IME

1017e 1220 norm Default IME

1016c 1348 norm Default IME

2015a 1896 norm Default IME

300b8 128 norm Default IME

100fe 1960 norm Default IME

100c0 1904 norm Default IME

100c6 1904 norm M

100da 1944 norm Default IME

100bc 1912 norm Default IME

100a4 1664 norm Default IME

10082 1340 norm Default IME

1007e 1340 norm Default IME

100a0 1220 norm M

30052 1220 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B536C1B-49F7-4284-A5BA-366AC49BD658}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Mon 05/24/2004

11:01 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (0CF9:863C) - FS:NTFS clusters:4k

Total: 60 019 834 880 [56G] - Free: 50 928 177 152 [47G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

11:01pm up 0 days, 0:22

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

3017a 1220 norm SysFader

1009a 1220 norm Start Menu

3003a 1220 norm _Shell_TrayWnd

201ac 260 norm Information Message from PrintKey 2000

100ca 1904 norm PLAYER

100f0 1904 norm PLAYER

10028 560 high NetDDE Agent

6026c 3936 norm C:\WINDOWS\System32\cmd.exe

100ba 1920 norm WinPatrol

40246 1220 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix

201aa 1968 norm frmDialogMedium

201a2 1968 norm frmDialogSmall

201a0 1968 norm Parent Dialog Form

20242 1968 norm Downloads Screen

10204 1968 norm frmssSpyNews

101fe 1968 norm First time use

101fa 1968 norm About Screen

101f2 1968 norm Quarantine Directory screen

101e2 1968 norm Options Screen

101da 1968 norm frmssResults

20146 1968 norm Removal Screen

101be 1968 norm frmssSweep

101ba 1968 norm frmssMainScreen

2012e 1968 norm Webroot Spy Sweeper

10120 1968 norm frmSplashScreen

10114 1968 norm Spysweeper

402da 1960 norm MSNMSGRPassportLogin

10346 1960 norm GDLSP_ASYNCWND_CLASS

3025a 1960 norm MSBLNetConn

20308 2296 norm Auto Update Client Window

20314 1220 norm MCI command handling window

201ae 1348 norm lxbk POR Monitor

20122 260 norm PrintKey 2000

10160 260 norm PrintKey 2000 v5.10

101c2 2032 norm BigFix

101de 1220 norm Connections Tray

101b6 1960 norm ActiveMovie Window

101b4 1960 norm ActiveMovie Window

1018c 1896 norm Logitech ScrHelp

20124 1960 norm MSP PNP Notification Window

20128 1896 norm Logitech GetMessage Hook

40126 1896 norm Magellan MSWHEEL

1017c 1220 norm Power Meter

10174 1960 norm CRTCClient

1016a 1348 norm LEXLMPM

10164 1912 norm 77c

2015e 1896 norm LogiTrayMgrWnd

20158 1896 norm Logitech E/M Executive

1015c 1960 norm CRTCIMService

10172 1220 norm MS_WebcheckMonitor

400e4 128 norm LXBKBMON

100fc 1960 norm DDE Server Window

100f6 1904 norm Movie

100e6 1904 norm Movie

100d2 1904 norm KEYBOARD HOTKEY SETUP

100cc 1904 norm Movie

100be 1904 norm HOTKEY KEYBOARD

100c4 1944 norm LXBKBMGR

100b6 1912 norm QTPlayer Tray Icon

100a2 1664 norm SystemSuite Task Manager

10080 1340 norm

1007c 1340 norm LexPPS BCE Comm Window

10090 1220 norm Program Manager

500d8 1920 norm M

100d6 1920 norm Default IME

3003c 1220 norm M

30038 1220 norm Default IME

70288 1220 norm M

a022e 1220 norm Default IME

10130 1968 norm M

10116 1968 norm Default IME

10348 1960 norm Default IME

20304 2296 norm Default IME

10316 1220 norm Default IME

102e0 284 norm Default IME

201b0 1348 norm Default IME

10162 260 norm Default IME

1021a 1960 norm Default IME

2014a 2032 norm M

101c4 2032 norm Default IME

10178 1960 norm Default IME

1017e 1220 norm Default IME

1016c 1348 norm Default IME

2015a 1896 norm Default IME

300b8 128 norm Default IME

100fe 1960 norm Default IME

100c0 1904 norm Default IME

100c6 1904 norm M

100da 1944 norm Default IME

100bc 1912 norm Default IME

100a4 1664 norm Default IME

10082 1340 norm Default IME

1007e 1340 norm Default IME

100a0 1220 norm M

30052 1220 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B536C1B-49F7-4284-A5BA-366AC49BD658}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:06:57 PM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\BigFix\BigFix.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\YCIII\YankClip.exe

C:\HiJackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {50811DEF-C6D9-4A32-B4C9-7A5D1113F013} - C:\WINDOWS\System32\oekjl.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37904.878287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi comtek5,

 

That's great! I was concerned we lost you for awhile, but I'm glad your back. Usually when you disable the modem driver, it stops working. But I'm glad your back.

 

Run start.bat again and choose option #2, then choose option #2 again at the next menu. You will get a message that your computer will reboot in 15 seconds. After your computer reboots, a window will flash on your screen and notepad will open with a report in it.

 

Reboot your computer. Go here and download this program called CWShredder. Then, make sure ALL windows are closed, run CWShredder.exe and click Fix (not scan).

 

Go to the dllfix folder on your desktop and copy the contents of the output.txt and logs.txt files back into this thread, along with an updated hijackthis log.

Share this post


Link to post
Share on other sites

DL'd cwshredder and followed your instructions, and so far it looks a lot like all that may have cured the problems. I am still attaching the logs that you requested and would appreciate any other advice you can give me. Tnks again!

 

CWSDLL Appinit Fix By Shadowwar

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 05/25/2004

12:05 AM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

Deleting Filter text/plain

Deleting Filter text/html

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Mon 05/24/2004

11:01 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (0CF9:863C) - FS:NTFS clusters:4k

Total: 60 019 834 880 [56G] - Free: 50 928 177 152 [47G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

11:01pm up 0 days, 0:22

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error

\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error

 

 

*List of top level windows:

HWND PID PRIO TITLE

3017a 1220 norm SysFader

1009a 1220 norm Start Menu

3003a 1220 norm _Shell_TrayWnd

201ac 260 norm Information Message from PrintKey 2000

100ca 1904 norm PLAYER

100f0 1904 norm PLAYER

10028 560 high NetDDE Agent

6026c 3936 norm C:\WINDOWS\System32\cmd.exe

100ba 1920 norm WinPatrol

40246 1220 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix

201aa 1968 norm frmDialogMedium

201a2 1968 norm frmDialogSmall

201a0 1968 norm Parent Dialog Form

20242 1968 norm Downloads Screen

10204 1968 norm frmssSpyNews

101fe 1968 norm First time use

101fa 1968 norm About Screen

101f2 1968 norm Quarantine Directory screen

101e2 1968 norm Options Screen

101da 1968 norm frmssResults

20146 1968 norm Removal Screen

101be 1968 norm frmssSweep

101ba 1968 norm frmssMainScreen

2012e 1968 norm Webroot Spy Sweeper

10120 1968 norm frmSplashScreen

10114 1968 norm Spysweeper

402da 1960 norm MSNMSGRPassportLogin

10346 1960 norm GDLSP_ASYNCWND_CLASS

3025a 1960 norm MSBLNetConn

20308 2296 norm Auto Update Client Window

20314 1220 norm MCI command handling window

201ae 1348 norm lxbk POR Monitor

20122 260 norm PrintKey 2000

10160 260 norm PrintKey 2000 v5.10

101c2 2032 norm BigFix

101de 1220 norm Connections Tray

101b6 1960 norm ActiveMovie Window

101b4 1960 norm ActiveMovie Window

1018c 1896 norm Logitech ScrHelp

20124 1960 norm MSP PNP Notification Window

20128 1896 norm Logitech GetMessage Hook

40126 1896 norm Magellan MSWHEEL

1017c 1220 norm Power Meter

10174 1960 norm CRTCClient

1016a 1348 norm LEXLMPM

10164 1912 norm 77c

2015e 1896 norm LogiTrayMgrWnd

20158 1896 norm Logitech E/M Executive

1015c 1960 norm CRTCIMService

10172 1220 norm MS_WebcheckMonitor

400e4 128 norm LXBKBMON

100fc 1960 norm DDE Server Window

100f6 1904 norm Movie

100e6 1904 norm Movie

100d2 1904 norm KEYBOARD HOTKEY SETUP

100cc 1904 norm Movie

100be 1904 norm HOTKEY KEYBOARD

100c4 1944 norm LXBKBMGR

100b6 1912 norm QTPlayer Tray Icon

100a2 1664 norm SystemSuite Task Manager

10080 1340 norm

1007c 1340 norm LexPPS BCE Comm Window

10090 1220 norm Program Manager

500d8 1920 norm M

100d6 1920 norm Default IME

3003c 1220 norm M

30038 1220 norm Default IME

70288 1220 norm M

a022e 1220 norm Default IME

10130 1968 norm M

10116 1968 norm Default IME

10348 1960 norm Default IME

20304 2296 norm Default IME

10316 1220 norm Default IME

102e0 284 norm Default IME

201b0 1348 norm Default IME

10162 260 norm Default IME

1021a 1960 norm Default IME

2014a 2032 norm M

101c4 2032 norm Default IME

10178 1960 norm Default IME

1017e 1220 norm Default IME

1016c 1348 norm Default IME

2015a 1896 norm Default IME

300b8 128 norm Default IME

100fe 1960 norm Default IME

100c0 1904 norm Default IME

100c6 1904 norm M

100da 1944 norm Default IME

100bc 1912 norm Default IME

100a4 1664 norm Default IME

10082 1340 norm Default IME

1007e 1340 norm Default IME

100a0 1220 norm M

30052 1220 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B536C1B-49F7-4284-A5BA-366AC49BD658}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:24:09 AM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\BigFix\BigFix.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\HiJackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lkhdd.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37904.878287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi comtek5,

 

Still some work to do. Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lkhdd.dll/sp.html (obfuscated)

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

I want to be sure this is completely gone from your system, because it appears it may not be. Go to the dllfix folder on your desktop, double click start.bat and choose option #1. Notepad will open with a report in it. Copy the contents of the report back into this thread along with an updated hijackthis log.

Share this post


Link to post
Share on other sites

Hey OSC, just got back online and found your messege. Did as you suggested and here are the latest logs. Thanks

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Tue 05/25/2004

10:40 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (0CF9:863C) - FS:NTFS clusters:4k

Total: 60 019 834 880 [56G] - Free: 50 924 646 400 [47G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q810847;

 

*Google Toolbar version and Attributes:

Defaults: "A" ;"R"

Path not found - C:\Program Files\google

Path not found - C:\Program Files\google

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"Q321120"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

5.0.3805.0 C:\WINDOWS\System32\msjava.dll

 

 

*PC uptime:

10:40pm up 0 days, 0:17

Locked or 'Suspect' file(s) found...

 

 

*List of top level windows:

HWND PID PRIO TITLE

502a4 1184 norm SysFader

30096 1184 norm Start Menu

30040 1184 norm _Shell_TrayWnd

201ba 2044 norm Information Message from PrintKey 2000

10028 560 high NetDDE Agent

702a2 2388 norm C:\WINDOWS\System32\cmd.exe

a014c 1184 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix

20220 2356 norm Not yet available ...

301ae 2356 norm Yankee Clipper III

50268 2356 norm Yankee Clipper III [Freeware]

70288 2356 norm Yankee Clipper III

20356 1184 norm MCI command handling window

202f6 220 norm Auto Update Client Window

202da 1868 norm MSNMSGRPassportLogin

202f0 1868 norm GDLSP_ASYNCWND_CLASS

30260 1868 norm MSBLNetConn

10304 1688 norm DummyWindow

10302 1688 norm SLLauncher

101a2 2044 norm PrintKey 2000

200fc 2044 norm PrintKey 2000 v5.10

201fa 1808 norm Logitech ScrHelp

101c0 1808 norm Logitech GetMessage Hook

101be 1808 norm Magellan MSWHEEL

1017c 1284 norm lxbk POR Monitor

1021c 1876 norm frmssSpyNews

201b2 1876 norm First time use

20202 1876 norm About Screen

201bc 1876 norm Quarantine Directory screen

10208 1876 norm Options Screen

10204 1876 norm frmssResults

101f2 1876 norm Removal Screen

101ec 1876 norm frmssSweep

101e8 1876 norm frmssMainScreen

20112 1876 norm Webroot Spy Sweeper

101ca 1184 norm Power Meter

101c6 1184 norm MS_WebcheckMonitor

1016a 1808 norm LogiTrayMgrWnd

20136 1928 norm BigFix

40128 1808 norm Logitech E/M Executive

10142 1284 norm LEXLMPM

40122 1868 norm ActiveMovie Window

1014e 1868 norm ActiveMovie Window

1013c 1868 norm MSP PNP Notification Window

10134 1868 norm CRTCClient

10130 1868 norm CRTCIMService

1011c 1868 norm DDE Server Window

1011a 1824 norm 724

300f8 1904 norm LXBKBMON

1010a 1876 norm frmSplashScreen

100f2 1876 norm Spysweeper

1015a 1816 norm PLAYER

100cc 1816 norm PLAYER

1015c 1816 norm Movie

10156 1816 norm Movie

100dc 1816 norm KEYBOARD HOTKEY SETUP

100ce 1816 norm Movie

100c0 1816 norm HOTKEY KEYBOARD

100be 1852 norm LXBKBMGR

100d4 1860 norm Notification Wnd for RNAdmin

100b8 1832 norm WinPatrol

100b6 1824 norm QTPlayer Tray Icon

10086 1580 norm SystemSuite Task Manager

10080 1288 norm

1007c 1288 norm LexPPS BCE Comm Window

10234 1876 norm frmDialogMedium

10232 1876 norm frmDialogSmall

10230 1876 norm Parent Dialog Form

1022e 1876 norm Downloads Screen

10228 1184 norm Connections Tray

7029e 1184 norm SysFader

10094 1184 norm Program Manager

2018e 1832 norm M

100c4 1832 norm Default IME

30042 1184 norm M

3003e 1184 norm Default IME

50282 1184 norm M

90146 1184 norm Default IME

301c8 2356 norm M

6029c 2356 norm Default IME

4030e 1184 norm Default IME

202f4 220 norm Default IME

202ee 1868 norm Default IME

10306 1688 norm Default IME

20242 180 norm Default IME

10190 2044 norm Default IME

101a6 1868 norm Default IME

1017e 1284 norm Default IME

10168 1928 norm M

20144 1928 norm Default IME

101cc 1184 norm Default IME

20152 1808 norm Default IME

1014a 1284 norm Default IME

1013e 1868 norm Default IME

1011e 1868 norm Default IME

10114 1876 norm M

100f4 1876 norm Default IME

100c6 1816 norm M

100c2 1816 norm Default IME

100fe 1904 norm Default IME

100e0 1852 norm Default IME

100d6 1860 norm Default IME

100bc 1824 norm Default IME

10088 1580 norm Default IME

10082 1288 norm Default IME

1007e 1288 norm Default IME

100a4 1184 norm M

30058 1184 norm Default IME

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"Appinit_Dlls"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

Logfile of HijackThis v1.97.7

Scan saved at 10:37:21 PM, on 5/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\Program Files\BigFix\BigFix.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\WINDOWS\slrundll.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HiJackthis\HijackThis.exe

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm

O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Copernic Agent (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37904.878287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D192613B-DEC7-4094-83D3-BE9F92EF0196}: NameServer = 208.24.203.253 208.8.11.253

 

 

Share this post


Link to post
Share on other sites

Hi comtek5,

 

Both logs look nice and clean. ;) Nice job!

 

Here's some light reading for prevention.

 

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

Make sure you have the latest critical updates and make sure you check back often for new updates. This will help prevent some of this stuff from getting on your PC.

http://v4.windowsupdate.microsoft.com/en/default.asp

 

And also see So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

OSC, sorry for the delay in this but some personal things came up and had to be handled without delay.

 

I have downloaded all the preventive programs and light reading that you suggested and wanted to say thanks again. All seems to be right with the world once again.

 

All kidding aside, I really do appresiate your help in this matter. Without it, I would be still fighting it.

 

Thanks again, Comtek5

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0