Jump to content


Photo

Secure.html set as default IE page


  • Please log in to reply
26 replies to this topic

#1 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 26 June 2004 - 01:24 PM

Ok, simple problem, aparently, though ive tried numerous things to no avail, including running spybot (clean eventually) ad-aware (clean eventually), vx2finder (found nothing), hijack this (can fix, but just reoccurs) and my virus gaurds scan (PC-cillin, which found numerous viruses, all quarentined, all trojans, but takes an 1 1/2 hours to run so im reluctant to do so again).

The problem is this - everytime i open IE it resets the start page to one named 'Secure.html' that is stored, and recreated, in my Windows folder. Upon leaving that page to go to another, it creates a full screen, unpleasnt (*cough*) pop up. If i cange the start webpage, it just resets it to that. If i clean it with Hijack this, on opening a new IE window, its back...hhheeeellllppppp >.<


Heres my current Hijack this log -

Logfile of HijackThis v1.97.7
Scan saved at 18:39:47, on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3Trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\explorer.exe
C:\Stevens games\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.10...abs/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7561.3276388889
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS10\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS11\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS12\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS13\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS14\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS15\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS16\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS17\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS18\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS19\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS20\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS21\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS22\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS23\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS24\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS25\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS26\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS27\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS28\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS29\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS30\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS31\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS32\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS33\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,213.120.62.99
O17 - HKLM\System\CS34\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS35\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS36\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS37\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS38\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS39\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1


Thanks in advance for any help at all

Demus

#2 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 July 2004 - 08:24 PM

Check the following items in HiJackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

(unless you put these entries there, I suggest they be removed., If needed they can be restored by HiJackThis)
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS10\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS11\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS12\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS13\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS14\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS15\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS16\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS17\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS18\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS19\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS20\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS21\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS22\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS23\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS24\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS25\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS26\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS27\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS28\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS29\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS30\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS31\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS32\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS33\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,213.120.62.99
O17 - HKLM\System\CS34\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS35\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS36\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS37\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS38\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS39\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1


Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#3 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 01 July 2004 - 09:50 PM

Ok, firstly, ive removed the top things you mentioned, atleast 10 times, each time they re-create (this time no different, even with your second piece of advice). Removing the bottom ones, removed my computer from our home network and prevented all connections, the IP in them is our home servers IP, so i had to restore them all...but while it was down, i tried opening an IE window and it still came up Secure.html, and with the pop up (albeit unable to load that)

All that asside, here is a new log, practically identical, if not completely, to the old, and with the Secure.html thing yet again replicated just moments after removing. It APPEARS (cant be sure) that it re-sets the Secure.html everytime i open an IE window and possibly (not sure) when i hit home after changing my homepage also.


Logfile of HijackThis v1.97.7
Scan saved at 03:48:43, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Stevens games\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.10...abs/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7561.3276388889
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0


Thanks, Demus

#4 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 July 2004 - 10:06 PM

OK and thanks. Now to find out how the entries are coming back:

First:
Would you please use HiJackThis to produces startup list and post it here:
1. From HJT main screen, click 'Config' button
2. Click 'Misc Tools' button
3. Under 'Generate StartupList Log' button, check both boxes
4. Click 'Generate StartupList Log' button
5. Click 'Yes' in the next dialog
6. Save the log and post a copy in this thread.


Second:
Download this file:
www.zerosrealm.com/downloads/pv.zip

Unzip to the desktop (It will create its own folder)

Open the PV folder and double click on runme.bat

Select Option 2 and post the log in this thread.

Run runme.bat again and Select Option 8 then Option 4 and post the log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#5 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 01 July 2004 - 10:18 PM

First thing ya wanted (Hijack this start up list):


StartupList report, 02/07/2004, 04:07:54
StartupList version: 1.52
Started from : C:\Stevens games\Hijack This\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Stevens games\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Stevens games\Games\NWN\nwmain.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Real-time Monitor.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
InCD = C:\Program Files\ahead\InCD\InCD.exe
Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
WebTrapNT.exe = "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
WinFast_2K = C:\WINDOWS\System32\WF2K.EXE
WinFast2KLoadDefault = rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
MBM 5 = "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
POINTER = point32.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
Start WingMan Profiler =
msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Steam =

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...ry/msgrchkr.cab

[Macromedia Authorware Web Player Control]
InProcServer32 = C:\WINDOWS\System32\macromed\authorwa\awswax.ocx
CODEBASE = http://194.105.69.10...abs/awswaxf.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...StatsClient.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7561.3276388889

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll
System: C:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 6,396 bytes
Report generated in 0.100 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




Second thing (option 2):



Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
POINT32.dll 61210000 61440 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll 4.10.0851.0 Microsoft IntelliPoint
JavaHookNT.DLL 10000000 86016 C:\Program Files\Trend Micro\PC-cillin 2000\JavaHookNT.DLL 7.61.0.1454 JavaHook
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WSOCK32.DLL 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
msctfime.ime dd0000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME
Msimtf.dll 746f0000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
shdoclc.dll 718c0000 540672 C:\WINDOWS\System32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
AcroIEHelper.dll 21f0000 49152 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
mlang.dll 70440000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer
msi.dll 2df0000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
MSH_ZWF.dll 61220000 73728 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll 4.10.0851.0 Microsoft IntelliPoint
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
MOUDL32A.DLL 3230000 61440 C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUDL32A.DLL 3, 0, 2, 0 WIN32 Mouse Dynamic Link Library
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows™ Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
actxprxy.dll 703d0000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
plugin.ocx 3ed0000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX
itss.dll 65e20000 135168 C:\WINDOWS\System32\itss.dll 5.2.3644.0 Microsoft® InfoTech Storage System Library
inetcomm.dll 5ec00000 610304 C:\WINDOWS\System32\inetcomm.dll 6.00.2800.1409 Microsoft Internet Messaging API
MSOERT2.dll 3ef0000 126976 C:\WINDOWS\System32\MSOERT2.dll 6.00.2800.1123 Microsoft Outlook Express RT Lib
inetres.dll 4890000 57344 C:\WINDOWS\System32\inetres.dll 6.00.2800.1123 Microsoft Internet Messaging API Resources
msjava.dll 7c000000 958464 C:\WINDOWS\System32\msjava.dll 5.00.3810 Microsoft® VM
VMHELPER.DLL 7c520000 294912 C:\WINDOWS\System32\VMHELPER.DLL 5.00.3810 Microsoft® VM Helper Library
imgutil.dll 66880000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2800.1106 (xpsp1.020828-1920) IE plugin image decoder support DLL
MSDBG.DLL 4aa00000 86016 C:\WINDOWS\System32\MSDBG.DLL 6.00.8146 Active Debugging Proxy/Stub
PDM.DLL 4a000000 180224 C:\WINDOWS\System32\PDM.DLL 6.00.8169 Process Debug Manager
JAVALE.DLL 4ac00000 233472 C:\WINDOWS\System32\JAVALE.DLL 6.00.8163 Java Language Engine
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Editing Component
iphlpapi.dll 76d60000 94208 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) IP Helper API
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
ODBC32.dll 5210000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking




And the final thing (picking 8 then 4):


Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/html]
"CLSID"="{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/plain]
"CLSID"="{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"





Thanks a lot for the fast response, Demus

#6 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 01 July 2004 - 10:47 PM

Quick question, poking about and found this thread
http://www.spywarein...?showtopic=6498
checked my desktop and i have a homepage set as:

About:Home

and it is set to show offline. Would it be a good idea to follow the advice in the above post?

Edited by Demus, 01 July 2004 - 10:48 PM.


#7 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 July 2004 - 11:24 PM

No, amateur spysware removers can cause more problems than they fix. Great if it works for them.

Thanks for the info. The last one with Protocol info is pointing in a direction to follow.

Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.

regedit /e reginfo.txt "HKEY_CLASSES_ROOT\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
Start notepad.exe reginfo.txt
exit

Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

Copy and paste the contents of that entire file in this thread.


Also, could you please zip and email C:\WINDOWS\secure.html to me please.

Mail to: Submit@LoPhatPhuud.com
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#8 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 01 July 2004 - 11:42 PM

Heres the log it made -



Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}]
@="WebView MIME Filter"

[HKEY_CLASSES_ROOT\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,48,00,\
45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"



File on its way now. Demus

Edited by Demus, 01 July 2004 - 11:42 PM.


#9 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 July 2004 - 12:41 AM

I gotta head to bed. Will check for new replies on waking (bout 8 hours from now)

Thanks again for all the help so far :)

Demus

#10 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 12:51 AM

Got the file and thanks. One other thing to run for me, please. Also, I will be tied up in the morning so it may be until mid-afternoon before I am online. That about 14 hours from the time of this post.


Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.

regedit /e reginfo.txt "HKEY_CLASSES_ROOT\CLSID\{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}"
Start notepad.exe reginfo.txt
exit

Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

Copy and paste the contents of that entire file in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#11 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 01:12 AM

While you are doing that, try this too.

Download this file:
www.zerosrealm.com/downloads/pv.zip

Unzip to the desktop (It will create its own folder)

Open the PV folder and double click on runme.bat

Select Option 2 and post the log in this thread.

Run runme.bat again and Select Option 8 then Option 4 and post the log in this thread.

IP: [ 68.35.76.11 ]
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#12 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 July 2004 - 10:48 AM

Log from latest reginfo.bat -


Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}]

[HKEY_CLASSES_ROOT\CLSID\{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}\InProcServer32]
@="C:\\WINDOWS\\System32\\npeekca.dll"
"ThreadingModel"="Apartment"


The second thing i believe i already did? Ill do it again if you want though?

Demus

#13 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 05:41 PM

OK, we are making progress:

First:
Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Second:
Please Zip and email this file to me: C:\WINDOWS\System32\npeekca.dll
email address: Submit AT LoPhatPhuud.com (replace AT with @)

Then Boot into safe mode and delete this file:
C:\WINDOWS\System32\npeekca.dll

Reboot in Normal Mode


Third:
Run HiJackThis

Check the following Items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

Close all open windows except HiJackThis and press 'Fix Checked'


Fourth:
Reboot

Run HiJackThis and post a new log in this thead.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#14 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 July 2004 - 05:52 PM

Npeekca.dll doesnt appear to exist, ive searched through the folder you say it should be in and no luck, running a full windows search for it now.

Demus

#15 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 July 2004 - 06:30 PM

Nope, the file does not appear to exist no matter what i do...

Demus

#16 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 07:54 PM

OK, then do all the other steps and post a new HiJackThis log.

Also run PV again uisng Option 8, Option 4 and post log
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#17 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 July 2004 - 08:11 PM

Done the registry thing, and cleared out the stuff on Hijack this. Heres the Hijack this log -


Logfile of HijackThis v1.97.7
Scan saved at 02:10:40, on 03/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Stevens games\Games\NWN\nwmain.exe
C:\Stevens games\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.10...abs/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7561.3276388889
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0




And the registry log


Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



Demus

Edited by Demus, 02 July 2004 - 08:25 PM.


#18 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 08:49 PM

OK, progress, I think.

Check the following items in HiJackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html


Close all open windows and press 'Fix Checked'

Reboot.

Please post another HiJackThis Log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#19 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 July 2004 - 08:55 PM

Just replicated again. Heres the log, identical to the last :(


Logfile of HijackThis v1.97.7
Scan saved at 02:54:13, on 03/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Stevens games\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.10...abs/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7561.3276388889
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0


Demus

#20 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 July 2004 - 11:00 AM

so uhm any ideas?

Demus

#21 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 04 July 2004 - 01:15 PM

Two things to dol
First, download and install the new version of HiJackThis:
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Run it and post a new log in this thread. It has additional information.

Then:
Download FindnFix.exe from here:
http://freeatlast100....com/index.html or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#22 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 July 2004 - 02:44 PM

Hijack this log -


Logfile of HijackThis v1.98.0
Scan saved at 20:43:38, on 04/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Stevens games\Games\NWN\nwmain.exe
C:\Stevens games\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.10...abs/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\msref.dll
O21 - SSODL: System - {BA2486D7-FE06-4F59-A9D8-A96B49F4605D} - C:\WINDOWS\system32\system32.dll



Other to follow shortly, have to do a few things before i can close all my windows down

Thanks again, Demus

#23 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 04 July 2004 - 09:26 PM

OK, I will hold off replying until the log for FindnFix is posted.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#24 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 July 2004 - 10:40 PM

Sorry it took so long, few things came up. So, finally, heres the log :)





»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

05/07/2004
4:32am up 1 day, 11:48

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



»»»»»(***5***)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group XP\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Sat 18 Aug 2001 13:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Sat 18 Aug 2001 13:00:00 A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x XP\Steven
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: XP\Steven

Primary Group: XP\None



»»»»»»Backups created...»»»»»»
4:33am up 1 day, 11:50
05/07/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-05-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-05-2004 winkey.reg

»»Performing 16bit string scan....
00001150: vk f AppInit_DLLs G
00001190: h vk UDeviceNotSelectedTimeout 1 5
000011D0: P 9 0 vk ' zGDIProcessHandle
00001210:Quota" vk 8 Spooler2 y e s _ h
00001250: ` vk 5swapdisk vk
00001290: . TransmissionRetryTimeout h `
000012D0: vk ' USERProcessHandleQuota,
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fùAppInit_DLLsÖ?æG
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


**File C:\FINDnFIX\WIN.TXT
regf




and the other, if theres a way to attatch i cant find, and it doesnt seem to copy, should i send you it instead?

Demus (*now going to bed*)

#25 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 04 July 2004 - 11:00 PM

First:
Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Second:
Launch Notepad, and copy/paste the bold below into a new text file.
Save it as fixsearch.reg (Change the 'Save As Type' to 'All Files').
Save it in C:\

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Locate it (in C:\) and double-click on it (launch it).
You'll receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".

Reboot.


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O21 - SSODL: System - {BA2486D7-FE06-4F59-A9D8-A96B49F4605D} - C:\WINDOWS\system32\system32.dll




Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\system32\system32.dll

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 198.0 is now available.
If you do already have it installed, download it from here:
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Then run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#26 Demus

Demus

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 05 July 2004 - 12:40 PM

Oooooooooooooo it might even be gone!! :D

The log you requested, and it also opens IE to the right page now!



Logfile of HijackThis v1.98.0
Scan saved at 18:40:09, on 05/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Stevens games\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.10...abs/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0
O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\msref.dll




Thanks!

Demus

#27 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 05 July 2004 - 02:49 PM

Demus,

We can certainly hope that we have it. I will leave this thread open for the time being in the event it comes back. I don;t think it will though.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button