Hijacking problem

Discussion in 'adware, spyware & hijack cleaning' started by BruceNilsen, May 23, 2004.

Thread Status:
Not open for further replies.
  1. BruceNilsen

    BruceNilsen Registered Member

    Joined:
    May 23, 2004
    Posts:
    3
    Hi,

    Two days ago I saw that my Internet Explorer start page had been changed to some porn site and every time I tried to fix it, it came back. Trying to block the porn site had no effect. My computer is a brand-new Dell Dimension 4600 series with Windows XP. I have downloaded Spybot, Ad-Aware, CWShredder, and Hijackthis, and have run each program several times (along with Norton anti-virus). They have found problems and removed them, and the start page is no longer a porn site, but instead it is sometimes "about: blank" and sometimes "http://jksearch.biz/redir.php." Every time I run the Spybot and other programs after having "removed" all the problematic items, the same items have reappeared. I’ve noticed that in the Hijackthis logfile, there are several items that include ”jksearch.” I’ve removed these items but they keep reappearing, too. Since this problem began, there have been other problems with the computer - the cursor keeps freezing and sometimes I am unable to switch between users. I wonder if anyone can advise me on this! Thank you in advance. Below is the current HijackThis log.

    Bruce
    oversetter@chello.no
    Oslo, Norway


    Logfile of HijackThis v1.97.7
    Scan saved at 14:49:28, on 23.05.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Programfiler\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
    C:\Programfiler\Dell AIO Printer A960\dlbfbmgr.exe
    C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
    C:\Programfiler\QuickTime\qttask.exe
    C:\Programfiler\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programfiler\Messenger\msmsgs.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Programfiler\Dell AIO Printer A960\dlbfbmon.exe
    C:\Programfiler\WinZip\WZQKPICK.EXE
    C:\Programfiler\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\System32\gearsec.exe
    C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Programfiler\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programfiler\iPod\bin\iPodService.exe
    C:\Documents and Settings\Bruce\Lokale innstillinger\Temp\Midlertidig mappe 8 for HJT.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B657FF2-4FDE-4E05-9069-8971232E2447} - C:\WINDOWS\System32\hnjdba.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Programfiler\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Oppslag (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14186d497d79874fe821/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38129.3843518519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi BruceNilsen,

    Can you start with the following? :

    Download :

    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice but on the root drive, most likely C:\

    1.Run start.bat and press option 1. A search will start, let it finish

    'output.txt' will be created in the folder

    Please paste the complete contents of output.txt here

    Thnx!

    Cheers,
     
  3. BruceNilsen

    BruceNilsen Registered Member

    Joined:
    May 23, 2004
    Posts:
    3
    Hi,
    Thank you! Here is output.txt. (Some of this is in Norwegian, most of which I think is easy enough to figure out, but if you have any problems just ask.)
    Bruce

    --==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

    23.05.2004
    22:40

    System Info:

    Microsoft Windows XP [Versjon 5.1.2600]
    C: "" (BCA6:166F) - FS:NTFS clusters:4k
    Total: 79 941 492 736 [74G] - Free: 71 116 341 248 [66G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Programfiler\Internet Explorer\Iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q837009;Q832894;

    *Google Toolbar version and Attributes:
    Defaults: "A" ;"R"
    Finner ikke banen - C:\Programfiler\google
    Finner ikke banen - C:\Programfiler\google

    *UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    *Wmplayer version:
    8.0.0.4490 C:\Programfiler\Windows Media Player\wmplayer.exe
    6.4.9.1125 C:\Programfiler\Windows Media Player\mplayer2.exe

    *M$Java version:


    *PC uptime:
    10:40pm up 0 days, 0:48
    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\LOGBKNN.DLL +++ File read error
    \\?\C:\WINDOWS\System32\LOGBKNN.DLL +++ File read error


    *List of top level windows:
    HWND PID PRIO TITLE
    802c8 2564 norm SysFader
    10064 2564 norm Start-meny
    10062 2564 norm CiceroUIWndFrame
    30022 2564 norm _Shell_TrayWnd
    502ce 2564 norm SysFader
    201fa 2200 norm SysFader
    200e0 616 norm Norton AntiVirus
    100ac 2760 norm CiceroUIWndFrame
    100aa 2760 norm TF_FloatingLangBar_WndTitle
    1001e 1304 high NetDDE Agent
    400b2 2880 norm Send/motta
    702dc 2912 norm C:\WINDOWS\System32\cmd.exe
    902e6 2564 norm dllfix
    20222 2200 norm Wilders Security Forums - Hijacking problem - Microsoft Internet Explorer
    70310 2564 norm Acrobat IEHelper
    100f8 2880 norm Innboks - Microsoft Outlook
    102be 2200 norm MCI command handling window
    102a8 2200 norm DDE Server Window
    102a4 2200 norm Acrobat IEHelper
    101aa 2880 norm Fremdrift for sending/mottak i Outlook
    201d0 2564 norm HiddenFaxWindow
    101e8 2540 norm Sign On
    101dc 2540 norm DDE Server Window
    101d2 3856 norm MSNMSGRPassportLogin
    101cc 3856 norm MSBLNetConn
    101a2 2732 norm DDE Server Window
    1015e 2564 norm MCI command handling window
    100ba 2804 norm About WinZip Quick Pick
    1016e 2880 norm DDE Server Window
    1014a 3740 norm Auto Update Client Window
    10142 2564 norm Connections Tray
    1012c 2880 norm WMS ST Notif Window 00000B40 000009C0
    1012a 2880 norm WMS Idle
    2011e 316 norm Dell Media Experience
    10104 3856 norm ActiveMovie Window
    10100 3856 norm ActiveMovie Window
    100e2 2564 norm Strømmåler
    100de 3856 norm MSP PNP Notification Window
    100dc 2880 norm W
    100d4 2880 norm Microsoft Outlook
    100b8 3856 norm CRTCClient
    100b6 3856 norm CRTCIMService
    100a4 2120 norm dlbfbmon
    100a0 1064 norm QTPlayer Tray Icon
    100a2 2564 norm MS_WebcheckMonitor
    1009a 928 norm DVDSentry
    20090 3856 norm DDE Server Window
    10094 616 norm ccApp
    10086 2568 norm DLBFBMGR
    20084 2620 norm Notification Wnd for RNAdmin
    1009c 2564 norm SysFader
    20230 2732 norm GDI+ Window
    20264 2732 norm Nytt tomt dokument
    2025c 2732 norm Fil
    20262 2732 norm Hyperkobling-hurtigmeny
    20260 2732 norm Hyperkobling-hurtigmeny
    2025e 2732 norm Hyperkobling-hurtigmeny
    300b4 2732 norm computerproblem - Microsoft Word
    30280 2732 norm Fil
    30278 2732 norm Fil
    30274 2732 norm Fil
    30276 2732 norm Fil
    301e2 2732 norm computer2 - Microsoft Word
    10066 2564 norm Program Manager
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
    @=""

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{D39EEDAF-8622-4C2B-9D95-3F7ABFC726FE}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{D39EEDAF-8622-4C2B-9D95-3F7ABFC726FE}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
    "CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Brukere
    (ID-IO) ALLOW Read BUILTIN\Brukere
    (ID-NI) ALLOW Full access BUILTIN\Administratorer
    (ID-IO) ALLOW Full access BUILTIN\Administratorer
    (ID-NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
    (ID-IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
    (ID-IO) ALLOW Full access OPPRETTER EIER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Brukere
    Full access BUILTIN\Administratorer
    Full access NT-MYNDIGHET\SYSTEM


    
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok Thnx,

    Follow these steps now :

    run start.bat again and choose option 2.

    Hit '1' and enter dll name manually :

    C:\WINDOWS\System32\LOGBKNN.DLL and hit enter

    Finally download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    Open HijackThis and fix the following if present :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hnjdba.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {0B657FF2-4FDE-4E05-9069-8971232E2447} - C:\WINDOWS\System32\hnjdba.dll

    Restart PC in Safe Mode : Here's How

    Do a find files (start -> search -> files...) for this dll :

    system32.dll

    when found rightclick and remove

    Clean temp internet files

    Restart again in normal mode

    Update XP and IE to get the latest essential patches at windowsupdate.com

    Finally post a new hijackthis log

    Thnx

    Cheers,
     
  5. BruceNilsen

    BruceNilsen Registered Member

    Joined:
    May 23, 2004
    Posts:
    3
    Hi,

    After following those instructions I was unable to post here - IE would close if I tried. The same happened when I tried to get patches at windowsupdate. When the computer kept crashing, I called Dell tech support and was told to reinstall the operating system, and that this would eliminate any spyware on the computer. I did reinstlal the operating system, but Spybot and Ad-Aware have already removed several things from the computer, though I'm not sure if they're spyware or what they are. Can spyware remain on a computer even if you've reinstalled the operating system? in any case is my current HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:06:00 PM, on 5/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Programfiler\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Programfiler\Dell AIO Printer A960\dlbfbmgr.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Programfiler\Dell AIO Printer A960\dlbfbmon.exe
    C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\CTFMON.EXE
    C:\Programfiler\Messenger\msmsgs.exe
    C:\Programfiler\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Programfiler\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Bruce\Lokale innstillinger\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1044
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Programfiler\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Oppslag (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/288e7bb26927754cb505/netzip/RdxIE601.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi BruceNilsen,

    Both AdAware and Spybot S&D will warn you about several privacy risks that are present in a fresh Windows install.
    I think that is what you saw.
    No spyware that I know off survives a format.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.