Jump to content


Photo

Help Please


  • Please log in to reply
10 replies to this topic

#1 comtek5

comtek5

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 May 2004 - 05:20 PM

Could someone please read my log file and give me some advice? I have been fighting this for over two weeks and not making any progress. Every 40 secs. or so I get a pop up that wants to instal a bho called oekjl.dll. I decline, then a pop up tells me my home page wants to be changed to About:blank, I decline this then it attempts to change my search page, then about 40 secs later it all starts over. I scanned with hijack this and told it to fix the first 8 lines in the log, but it still comes back.

Any help would be greatly appreciated.

My Log.....

Logfile of HijackThis v1.97.7
Scan saved at 5:10:00 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\slrundll.exe
C:\HiJackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {178D8429-6728-4975-AA5F-6820C63A0436} - C:\WINDOWS\System32\oekjl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37904.878287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D192613B-DEC7-4094-83D3-BE9F92EF0196}: NameServer = 208.24.203.253 208.8.11.253

#2 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 24 May 2004 - 06:16 PM

Hi comtek5,

Go here and download this self extracting file:
http://tools.zerosrealm.com/dllfix.exe

Save it to your desktop, double click dllfix.exe and follow the prompts.

Go to the newly created dllfix folder on your desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file. Notepad will open with a report in it. Copy the contents of the report back into this thread along with an updated hijackthis log.

Edited by OSC, 24 May 2004 - 06:19 PM.


#3 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 24 May 2004 - 07:04 PM

Hi comtek5,

This line in your running processes:
C:\WINDOWS\slrundll.exe

tells me you have a modem installed, but there is no trace of it in your hijackthis log. I noticed you left the chat room and I'm assuming you rebooted your computer by now.

Making a couple of assumptions here - I'm pretty sure you were connected to the Internet on dial-up while in the chat room and I know you said that you fixed some things on your own (not encouraged) and it looks like you blew that entry away, meaning, if your reading this, you either reinstalled that modem or you're reading this from a different computer.

I suppose it's possible that the modem will still work, but I'm doubtful.

If your reading this and that computer is still broken, restore all hijackthis backups (start hijackthis, click Config, then Backups) Then try to connect to the internet.

#4 comtek5

comtek5

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 May 2004 - 11:18 PM

Thanks OSC for your reply and help. I am on modem dialup but have not really had any problem with that. I did have to leave for awhile but had no problem getting back on and modem is working fine. I am attaching an updated HJT log and the scan log for dllfix.exe. Thanks in advance for any assistance you can give me.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Mon 05/24/2004
11:01 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (0CF9:863C) - FS:NTFS clusters:4k
Total: 60 019 834 880 [56G] - Free: 50 928 177 152 [47G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
11:01pm up 0 days, 0:22
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
3017a 1220 norm SysFader
1009a 1220 norm Start Menu
3003a 1220 norm _Shell_TrayWnd
201ac 260 norm Information Message from PrintKey 2000
100ca 1904 norm PLAYER
100f0 1904 norm PLAYER
10028 560 high NetDDE Agent
6026c 3936 norm C:\WINDOWS\System32\cmd.exe
100ba 1920 norm WinPatrol
40246 1220 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix
201aa 1968 norm frmDialogMedium
201a2 1968 norm frmDialogSmall
201a0 1968 norm Parent Dialog Form
20242 1968 norm Downloads Screen
10204 1968 norm frmssSpyNews
101fe 1968 norm First time use
101fa 1968 norm About Screen
101f2 1968 norm Quarantine Directory screen
101e2 1968 norm Options Screen
101da 1968 norm frmssResults
20146 1968 norm Removal Screen
101be 1968 norm frmssSweep
101ba 1968 norm frmssMainScreen
2012e 1968 norm Webroot Spy Sweeper ™
10120 1968 norm frmSplashScreen
10114 1968 norm Spysweeper
402da 1960 norm MSNMSGRPassportLogin
10346 1960 norm GDLSP_ASYNCWND_CLASS
3025a 1960 norm MSBLNetConn
20308 2296 norm Auto Update Client Window
20314 1220 norm MCI command handling window
201ae 1348 norm lxbk POR Monitor
20122 260 norm PrintKey 2000
10160 260 norm PrintKey 2000 v5.10
101c2 2032 norm BigFix
101de 1220 norm Connections Tray
101b6 1960 norm ActiveMovie Window
101b4 1960 norm ActiveMovie Window
1018c 1896 norm Logitech ScrHelp
20124 1960 norm MSP PNP Notification Window
20128 1896 norm Logitech GetMessage Hook
40126 1896 norm Magellan MSWHEEL
1017c 1220 norm Power Meter
10174 1960 norm CRTCClient
1016a 1348 norm LEXLMPM
10164 1912 norm 77c
2015e 1896 norm LogiTrayMgrWnd
20158 1896 norm Logitech E/M Executive
1015c 1960 norm CRTCIMService
10172 1220 norm MS_WebcheckMonitor
400e4 128 norm LXBKBMON
100fc 1960 norm DDE Server Window
100f6 1904 norm Movie
100e6 1904 norm Movie
100d2 1904 norm KEYBOARD HOTKEY SETUP
100cc 1904 norm Movie
100be 1904 norm HOTKEY KEYBOARD
100c4 1944 norm LXBKBMGR
100b6 1912 norm QTPlayer Tray Icon
100a2 1664 norm SystemSuite Task Manager
10080 1340 norm
1007c 1340 norm LexPPS BCE Comm Window
10090 1220 norm Program Manager
500d8 1920 norm M
100d6 1920 norm Default IME
3003c 1220 norm M
30038 1220 norm Default IME
70288 1220 norm M
a022e 1220 norm Default IME
10130 1968 norm M
10116 1968 norm Default IME
10348 1960 norm Default IME
20304 2296 norm Default IME
10316 1220 norm Default IME
102e0 284 norm Default IME
201b0 1348 norm Default IME
10162 260 norm Default IME
1021a 1960 norm Default IME
2014a 2032 norm M
101c4 2032 norm Default IME
10178 1960 norm Default IME
1017e 1220 norm Default IME
1016c 1348 norm Default IME
2015a 1896 norm Default IME
300b8 128 norm Default IME
100fe 1960 norm Default IME
100c0 1904 norm Default IME
100c6 1904 norm M
100da 1944 norm Default IME
100bc 1912 norm Default IME
100a4 1664 norm Default IME
10082 1340 norm Default IME
1007e 1340 norm Default IME
100a0 1220 norm M
30052 1220 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B536C1B-49F7-4284-A5BA-366AC49BD658}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Mon 05/24/2004
11:01 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (0CF9:863C) - FS:NTFS clusters:4k
Total: 60 019 834 880 [56G] - Free: 50 928 177 152 [47G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
11:01pm up 0 days, 0:22
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
3017a 1220 norm SysFader
1009a 1220 norm Start Menu
3003a 1220 norm _Shell_TrayWnd
201ac 260 norm Information Message from PrintKey 2000
100ca 1904 norm PLAYER
100f0 1904 norm PLAYER
10028 560 high NetDDE Agent
6026c 3936 norm C:\WINDOWS\System32\cmd.exe
100ba 1920 norm WinPatrol
40246 1220 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix
201aa 1968 norm frmDialogMedium
201a2 1968 norm frmDialogSmall
201a0 1968 norm Parent Dialog Form
20242 1968 norm Downloads Screen
10204 1968 norm frmssSpyNews
101fe 1968 norm First time use
101fa 1968 norm About Screen
101f2 1968 norm Quarantine Directory screen
101e2 1968 norm Options Screen
101da 1968 norm frmssResults
20146 1968 norm Removal Screen
101be 1968 norm frmssSweep
101ba 1968 norm frmssMainScreen
2012e 1968 norm Webroot Spy Sweeper ™
10120 1968 norm frmSplashScreen
10114 1968 norm Spysweeper
402da 1960 norm MSNMSGRPassportLogin
10346 1960 norm GDLSP_ASYNCWND_CLASS
3025a 1960 norm MSBLNetConn
20308 2296 norm Auto Update Client Window
20314 1220 norm MCI command handling window
201ae 1348 norm lxbk POR Monitor
20122 260 norm PrintKey 2000
10160 260 norm PrintKey 2000 v5.10
101c2 2032 norm BigFix
101de 1220 norm Connections Tray
101b6 1960 norm ActiveMovie Window
101b4 1960 norm ActiveMovie Window
1018c 1896 norm Logitech ScrHelp
20124 1960 norm MSP PNP Notification Window
20128 1896 norm Logitech GetMessage Hook
40126 1896 norm Magellan MSWHEEL
1017c 1220 norm Power Meter
10174 1960 norm CRTCClient
1016a 1348 norm LEXLMPM
10164 1912 norm 77c
2015e 1896 norm LogiTrayMgrWnd
20158 1896 norm Logitech E/M Executive
1015c 1960 norm CRTCIMService
10172 1220 norm MS_WebcheckMonitor
400e4 128 norm LXBKBMON
100fc 1960 norm DDE Server Window
100f6 1904 norm Movie
100e6 1904 norm Movie
100d2 1904 norm KEYBOARD HOTKEY SETUP
100cc 1904 norm Movie
100be 1904 norm HOTKEY KEYBOARD
100c4 1944 norm LXBKBMGR
100b6 1912 norm QTPlayer Tray Icon
100a2 1664 norm SystemSuite Task Manager
10080 1340 norm
1007c 1340 norm LexPPS BCE Comm Window
10090 1220 norm Program Manager
500d8 1920 norm M
100d6 1920 norm Default IME
3003c 1220 norm M
30038 1220 norm Default IME
70288 1220 norm M
a022e 1220 norm Default IME
10130 1968 norm M
10116 1968 norm Default IME
10348 1960 norm Default IME
20304 2296 norm Default IME
10316 1220 norm Default IME
102e0 284 norm Default IME
201b0 1348 norm Default IME
10162 260 norm Default IME
1021a 1960 norm Default IME
2014a 2032 norm M
101c4 2032 norm Default IME
10178 1960 norm Default IME
1017e 1220 norm Default IME
1016c 1348 norm Default IME
2015a 1896 norm Default IME
300b8 128 norm Default IME
100fe 1960 norm Default IME
100c0 1904 norm Default IME
100c6 1904 norm M
100da 1944 norm Default IME
100bc 1912 norm Default IME
100a4 1664 norm Default IME
10082 1340 norm Default IME
1007e 1340 norm Default IME
100a0 1220 norm M
30052 1220 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B536C1B-49F7-4284-A5BA-366AC49BD658}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Logfile of HijackThis v1.97.7
Scan saved at 11:06:57 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\YCIII\YankClip.exe
C:\HiJackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\oekjl.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {50811DEF-C6D9-4A32-B4C9-7A5D1113F013} - C:\WINDOWS\System32\oekjl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37904.878287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 24 May 2004 - 11:44 PM

Hi comtek5,

That's great! I was concerned we lost you for awhile, but I'm glad your back. Usually when you disable the modem driver, it stops working. But I'm glad your back.

Run start.bat again and choose option #2, then choose option #2 again at the next menu. You will get a message that your computer will reboot in 15 seconds. After your computer reboots, a window will flash on your screen and notepad will open with a report in it.

Reboot your computer. Go here and download this program called CWShredder. Then, make sure ALL windows are closed, run CWShredder.exe and click Fix (not scan).

Go to the dllfix folder on your desktop and copy the contents of the output.txt and logs.txt files back into this thread, along with an updated hijackthis log.

#6 comtek5

comtek5

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 May 2004 - 12:34 AM

DL'd cwshredder and followed your instructions, and so far it looks a lot like all that may have cured the problems. I am still attaching the logs that you requested and would appreciate any other advice you can give me. Tnks again!

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Tue 05/25/2004
12:05 AM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text/plain
Deleting Filter text/html

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Mon 05/24/2004
11:01 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (0CF9:863C) - FS:NTFS clusters:4k
Total: 60 019 834 880 [56G] - Free: 50 928 177 152 [47G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
11:01pm up 0 days, 0:22
Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error
\\?\C:\WINDOWS\System32\SQLHDM.DLL +++ File read error


*List of top level windows:
HWND PID PRIO TITLE
3017a 1220 norm SysFader
1009a 1220 norm Start Menu
3003a 1220 norm _Shell_TrayWnd
201ac 260 norm Information Message from PrintKey 2000
100ca 1904 norm PLAYER
100f0 1904 norm PLAYER
10028 560 high NetDDE Agent
6026c 3936 norm C:\WINDOWS\System32\cmd.exe
100ba 1920 norm WinPatrol
40246 1220 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix
201aa 1968 norm frmDialogMedium
201a2 1968 norm frmDialogSmall
201a0 1968 norm Parent Dialog Form
20242 1968 norm Downloads Screen
10204 1968 norm frmssSpyNews
101fe 1968 norm First time use
101fa 1968 norm About Screen
101f2 1968 norm Quarantine Directory screen
101e2 1968 norm Options Screen
101da 1968 norm frmssResults
20146 1968 norm Removal Screen
101be 1968 norm frmssSweep
101ba 1968 norm frmssMainScreen
2012e 1968 norm Webroot Spy Sweeper ™
10120 1968 norm frmSplashScreen
10114 1968 norm Spysweeper
402da 1960 norm MSNMSGRPassportLogin
10346 1960 norm GDLSP_ASYNCWND_CLASS
3025a 1960 norm MSBLNetConn
20308 2296 norm Auto Update Client Window
20314 1220 norm MCI command handling window
201ae 1348 norm lxbk POR Monitor
20122 260 norm PrintKey 2000
10160 260 norm PrintKey 2000 v5.10
101c2 2032 norm BigFix
101de 1220 norm Connections Tray
101b6 1960 norm ActiveMovie Window
101b4 1960 norm ActiveMovie Window
1018c 1896 norm Logitech ScrHelp
20124 1960 norm MSP PNP Notification Window
20128 1896 norm Logitech GetMessage Hook
40126 1896 norm Magellan MSWHEEL
1017c 1220 norm Power Meter
10174 1960 norm CRTCClient
1016a 1348 norm LEXLMPM
10164 1912 norm 77c
2015e 1896 norm LogiTrayMgrWnd
20158 1896 norm Logitech E/M Executive
1015c 1960 norm CRTCIMService
10172 1220 norm MS_WebcheckMonitor
400e4 128 norm LXBKBMON
100fc 1960 norm DDE Server Window
100f6 1904 norm Movie
100e6 1904 norm Movie
100d2 1904 norm KEYBOARD HOTKEY SETUP
100cc 1904 norm Movie
100be 1904 norm HOTKEY KEYBOARD
100c4 1944 norm LXBKBMGR
100b6 1912 norm QTPlayer Tray Icon
100a2 1664 norm SystemSuite Task Manager
10080 1340 norm
1007c 1340 norm LexPPS BCE Comm Window
10090 1220 norm Program Manager
500d8 1920 norm M
100d6 1920 norm Default IME
3003c 1220 norm M
30038 1220 norm Default IME
70288 1220 norm M
a022e 1220 norm Default IME
10130 1968 norm M
10116 1968 norm Default IME
10348 1960 norm Default IME
20304 2296 norm Default IME
10316 1220 norm Default IME
102e0 284 norm Default IME
201b0 1348 norm Default IME
10162 260 norm Default IME
1021a 1960 norm Default IME
2014a 2032 norm M
101c4 2032 norm Default IME
10178 1960 norm Default IME
1017e 1220 norm Default IME
1016c 1348 norm Default IME
2015a 1896 norm Default IME
300b8 128 norm Default IME
100fe 1960 norm Default IME
100c0 1904 norm Default IME
100c6 1904 norm M
100da 1944 norm Default IME
100bc 1912 norm Default IME
100a4 1664 norm Default IME
10082 1340 norm Default IME
1007e 1340 norm Default IME
100a0 1220 norm M
30052 1220 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B536C1B-49F7-4284-A5BA-366AC49BD658}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{B6D45478-97B4-44FC-A4DD-471B618C5C54}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Logfile of HijackThis v1.97.7
Scan saved at 12:24:09 AM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lkhdd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37904.878287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#7 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 25 May 2004 - 03:28 PM

Hi comtek5,

Still some work to do. Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lkhdd.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


I want to be sure this is completely gone from your system, because it appears it may not be. Go to the dllfix folder on your desktop, double click start.bat and choose option #1. Notepad will open with a report in it. Copy the contents of the report back into this thread along with an updated hijackthis log.

#8 comtek5

comtek5

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 May 2004 - 10:46 PM

Hey OSC, just got back online and found your messege. Did as you suggested and here are the latest logs. Thanks

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Tue 05/25/2004
10:40 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (0CF9:863C) - FS:NTFS clusters:4k
Total: 60 019 834 880 [56G] - Free: 50 924 646 400 [47G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q810847;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q321120"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3805.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
10:40pm up 0 days, 0:17
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
502a4 1184 norm SysFader
30096 1184 norm Start Menu
30040 1184 norm _Shell_TrayWnd
201ba 2044 norm Information Message from PrintKey 2000
10028 560 high NetDDE Agent
702a2 2388 norm C:\WINDOWS\System32\cmd.exe
a014c 1184 norm C:\Documents and Settings\C.B. Monroe\Desktop\dllfix
20220 2356 norm Not yet available ...
301ae 2356 norm Yankee Clipper III
50268 2356 norm Yankee Clipper III [Freeware]
70288 2356 norm Yankee Clipper III
20356 1184 norm MCI command handling window
202f6 220 norm Auto Update Client Window
202da 1868 norm MSNMSGRPassportLogin
202f0 1868 norm GDLSP_ASYNCWND_CLASS
30260 1868 norm MSBLNetConn
10304 1688 norm DummyWindow
10302 1688 norm SLLauncher
101a2 2044 norm PrintKey 2000
200fc 2044 norm PrintKey 2000 v5.10
201fa 1808 norm Logitech ScrHelp
101c0 1808 norm Logitech GetMessage Hook
101be 1808 norm Magellan MSWHEEL
1017c 1284 norm lxbk POR Monitor
1021c 1876 norm frmssSpyNews
201b2 1876 norm First time use
20202 1876 norm About Screen
201bc 1876 norm Quarantine Directory screen
10208 1876 norm Options Screen
10204 1876 norm frmssResults
101f2 1876 norm Removal Screen
101ec 1876 norm frmssSweep
101e8 1876 norm frmssMainScreen
20112 1876 norm Webroot Spy Sweeper ™
101ca 1184 norm Power Meter
101c6 1184 norm MS_WebcheckMonitor
1016a 1808 norm LogiTrayMgrWnd
20136 1928 norm BigFix
40128 1808 norm Logitech E/M Executive
10142 1284 norm LEXLMPM
40122 1868 norm ActiveMovie Window
1014e 1868 norm ActiveMovie Window
1013c 1868 norm MSP PNP Notification Window
10134 1868 norm CRTCClient
10130 1868 norm CRTCIMService
1011c 1868 norm DDE Server Window
1011a 1824 norm 724
300f8 1904 norm LXBKBMON
1010a 1876 norm frmSplashScreen
100f2 1876 norm Spysweeper
1015a 1816 norm PLAYER
100cc 1816 norm PLAYER
1015c 1816 norm Movie
10156 1816 norm Movie
100dc 1816 norm KEYBOARD HOTKEY SETUP
100ce 1816 norm Movie
100c0 1816 norm HOTKEY KEYBOARD
100be 1852 norm LXBKBMGR
100d4 1860 norm Notification Wnd for RNAdmin
100b8 1832 norm WinPatrol
100b6 1824 norm QTPlayer Tray Icon
10086 1580 norm SystemSuite Task Manager
10080 1288 norm
1007c 1288 norm LexPPS BCE Comm Window
10234 1876 norm frmDialogMedium
10232 1876 norm frmDialogSmall
10230 1876 norm Parent Dialog Form
1022e 1876 norm Downloads Screen
10228 1184 norm Connections Tray
7029e 1184 norm SysFader
10094 1184 norm Program Manager
2018e 1832 norm M
100c4 1832 norm Default IME
30042 1184 norm M
3003e 1184 norm Default IME
50282 1184 norm M
90146 1184 norm Default IME
301c8 2356 norm M
6029c 2356 norm Default IME
4030e 1184 norm Default IME
202f4 220 norm Default IME
202ee 1868 norm Default IME
10306 1688 norm Default IME
20242 180 norm Default IME
10190 2044 norm Default IME
101a6 1868 norm Default IME
1017e 1284 norm Default IME
10168 1928 norm M
20144 1928 norm Default IME
101cc 1184 norm Default IME
20152 1808 norm Default IME
1014a 1284 norm Default IME
1013e 1868 norm Default IME
1011e 1868 norm Default IME
10114 1876 norm M
100f4 1876 norm Default IME
100c6 1816 norm M
100c2 1816 norm Default IME
100fe 1904 norm Default IME
100e0 1852 norm Default IME
100d6 1860 norm Default IME
100bc 1824 norm Default IME
10088 1580 norm Default IME
10082 1288 norm Default IME
1007e 1288 norm Default IME
100a4 1184 norm M
30058 1184 norm Default IME
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

Logfile of HijackThis v1.97.7
Scan saved at 10:37:21 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\slrundll.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37904.878287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D192613B-DEC7-4094-83D3-BE9F92EF0196}: NameServer = 208.24.203.253 208.8.11.253




#9 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 26 May 2004 - 08:48 PM

Hi comtek5,

Both logs look nice and clean. ;) Nice job!

Here's some light reading for prevention.

Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

Make sure you have the latest critical updates and make sure you check back often for new updates. This will help prevent some of this stuff from getting on your PC.
http://v4.windowsupd.../en/default.asp

And also see So how did I get infected in the first place?

#10 comtek5

comtek5

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 May 2004 - 04:35 PM

OSC, sorry for the delay in this but some personal things came up and had to be handled without delay.

I have downloaded all the preventive programs and light reading that you suggested and wanted to say thanks again. All seems to be right with the world once again.

All kidding aside, I really do appresiate your help in this matter. Without it, I would be still fighting it.

Thanks again, Comtek5

#11 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 28 May 2004 - 09:53 PM

Hi comtek5,

You are very welcome. It is our pleasure to help :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button