• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Demus

Secure.html set as default IE page

27 posts in this topic

Ok, simple problem, aparently, though ive tried numerous things to no avail, including running spybot (clean eventually) ad-aware (clean eventually), vx2finder (found nothing), hijack this (can fix, but just reoccurs) and my virus gaurds scan (PC-cillin, which found numerous viruses, all quarentined, all trojans, but takes an 1 1/2 hours to run so im reluctant to do so again).

 

The problem is this - everytime i open IE it resets the start page to one named 'Secure.html' that is stored, and recreated, in my Windows folder. Upon leaving that page to go to another, it creates a full screen, unpleasnt (*cough*) pop up. If i cange the start webpage, it just resets it to that. If i clean it with Hijack this, on opening a new IE window, its back...hhheeeellllppppp >.<

 

 

Heres my current Hijack this log -

 

Logfile of HijackThis v1.97.7

Scan saved at 18:39:47, on 26/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3Trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.EXE

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\WINDOWS\explorer.exe

C:\Stevens games\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.3276388889

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS10\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS11\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS12\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS13\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS14\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS15\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS16\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS17\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS18\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS19\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS20\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS21\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS22\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS23\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS24\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS25\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS26\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS27\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS28\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS29\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS30\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS31\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS32\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS33\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,213.120.62.99

O17 - HKLM\System\CS34\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS35\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS36\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS37\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS38\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS39\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

 

 

Thanks in advance for any help at all

 

Demus

Share this post


Link to post
Share on other sites

Check the following items in HiJackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

 

(unless you put these entries there, I suggest they be removed., If needed they can be restored by HiJackThis)

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS10\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS11\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS12\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS13\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS14\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS15\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS16\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS17\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS18\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS19\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS20\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS21\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS22\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS23\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS24\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS25\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS26\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS27\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS28\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS29\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS30\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS31\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS32\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS33\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,213.120.62.99

O17 - HKLM\System\CS34\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS35\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS36\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS37\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS38\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS39\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

 

 

Close all open windows except HiJackThis and press 'Fix Checked'.

 

Reboot.

 

Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Ok, firstly, ive removed the top things you mentioned, atleast 10 times, each time they re-create (this time no different, even with your second piece of advice). Removing the bottom ones, removed my computer from our home network and prevented all connections, the IP in them is our home servers IP, so i had to restore them all...but while it was down, i tried opening an IE window and it still came up Secure.html, and with the pop up (albeit unable to load that)

 

All that asside, here is a new log, practically identical, if not completely, to the old, and with the Secure.html thing yet again replicated just moments after removing. It APPEARS (cant be sure) that it re-sets the Secure.html everytime i open an IE window and possibly (not sure) when i hit home after changing my homepage also.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 03:48:43, on 02/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Stevens games\Hijack This\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.3276388889

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

 

 

Thanks, Demus

Share this post


Link to post
Share on other sites

OK and thanks. Now to find out how the entries are coming back:

 

First:

Would you please use HiJackThis to produces startup list and post it here:

1. From HJT main screen, click 'Config' button

2. Click 'Misc Tools' button

3. Under 'Generate StartupList Log' button, check both boxes

4. Click 'Generate StartupList Log' button

5. Click 'Yes' in the next dialog

6. Save the log and post a copy in this thread.

 

 

Second:

Download this file:

www.zerosrealm.com/downloads/pv.zip

 

Unzip to the desktop (It will create its own folder)

 

Open the PV folder and double click on runme.bat

 

Select Option 2 and post the log in this thread.

 

Run runme.bat again and Select Option 8 then Option 4 and post the log in this thread.

Share this post


Link to post
Share on other sites

First thing ya wanted (Hijack this start up list):

 

 

StartupList report, 02/07/2004, 04:07:54

StartupList version: 1.52

Started from : C:\Stevens games\Hijack This\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Stevens games\Hijack This\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Stevens games\Games\NWN\nwmain.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

Real-time Monitor.lnk = ?

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

InCD = C:\Program Files\ahead\InCD\InCD.exe

Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

WebTrapNT.exe = "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

WinFast_2K = C:\WINDOWS\System32\WF2K.EXE

WinFast2KLoadDefault = rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

MBM 5 = "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

POINTER = point32.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

Start WingMan Profiler =

msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

Steam =

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[Checkers Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll

CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

 

[Macromedia Authorware Web Player Control]

InProcServer32 = C:\WINDOWS\System32\macromed\authorwa\awswax.ocx

CODEBASE = http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

 

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

 

[MessengerStatsClient Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll

CODEBASE = http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7561.3276388889

 

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

System: C:\WINDOWS\system32\system32.dll

 

--------------------------------------------------

End of report, 6,396 bytes

Report generated in 0.100 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

 

 

 

Second thing (option 2):

 

 

 

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer

ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL

kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL

USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL

GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL

ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API

RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime

SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library

IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL

LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0409.2600.1106 (xpsp1.020828-1920) Uniscribe Unicode script processor

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library

SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library

ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows

uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library

POINT32.dll 61210000 61440 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll 4.10.0851.0 Microsoft IntelliPoint

JavaHookNT.DLL 10000000 86016 C:\Program Files\Trend Micro\PC-cillin 2000\JavaHookNT.DLL 7.61.0.1454 JavaHook

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WSOCK32.DLL 71ad0000 32768 C:\WINDOWS\System32\WSOCK32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library

appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library

CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

msctfime.ime dd0000 176128 C:\WINDOWS\System32\msctfime.ime 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Text Frame Work Service IME

Msimtf.dll 746f0000 155648 C:\WINDOWS\System32\Msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL

SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API

WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32

CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

shdoclc.dll 718c0000 540672 C:\WINDOWS\System32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library

AcroIEHelper.dll 21f0000 49152 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX

SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5

urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32

mlang.dll 70440000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2800.1106 Multi Language Support DLL

mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft ® HTML Viewer

msi.dll 2df0000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer

MSH_ZWF.dll 61220000 73728 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll 4.10.0851.0 Microsoft IntelliPoint

jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

MOUDL32A.DLL 3230000 61440 C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUDL32A.DLL 3, 0, 2, 0 WIN32 Mouse Dynamic Link Library

WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL

wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter

midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider

wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager

NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL

TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows Telephony API Client DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL

USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv

rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL

winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL

actxprxy.dll 703d0000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library

plugin.ocx 3ed0000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX

itss.dll 65e20000 135168 C:\WINDOWS\System32\itss.dll 5.2.3644.0 Microsoft® InfoTech Storage System Library

inetcomm.dll 5ec00000 610304 C:\WINDOWS\System32\inetcomm.dll 6.00.2800.1409 Microsoft Internet Messaging API

MSOERT2.dll 3ef0000 126976 C:\WINDOWS\System32\MSOERT2.dll 6.00.2800.1123 Microsoft Outlook Express RT Lib

inetres.dll 4890000 57344 C:\WINDOWS\System32\inetres.dll 6.00.2800.1123 Microsoft Internet Messaging API Resources

msjava.dll 7c000000 958464 C:\WINDOWS\System32\msjava.dll 5.00.3810 Microsoft® VM

VMHELPER.DLL 7c520000 294912 C:\WINDOWS\System32\VMHELPER.DLL 5.00.3810 Microsoft® VM Helper Library

imgutil.dll 66880000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2800.1106 (xpsp1.020828-1920) IE plugin image decoder support DLL

MSDBG.DLL 4aa00000 86016 C:\WINDOWS\System32\MSDBG.DLL 6.00.8146 Active Debugging Proxy/Stub

PDM.DLL 4a000000 180224 C:\WINDOWS\System32\PDM.DLL 6.00.8169 Process Debug Manager

JAVALE.DLL 4ac00000 233472 C:\WINDOWS\System32\JAVALE.DLL 6.00.8163 Java Language Engine

mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft ® HTML Editing Component

iphlpapi.dll 76d60000 94208 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) IP Helper API

MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL

drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider

ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager

NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes

NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes

NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL

SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL

davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL

MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL

WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library

ODBC32.dll 5210000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager

comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL

odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources

sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL

CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL

ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing

ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)

LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking

 

 

 

 

And the final thing (picking 8 then 4):

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/html]

"CLSID"="{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/plain]

"CLSID"="{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

 

 

 

Thanks a lot for the fast response, Demus

Share this post


Link to post
Share on other sites

No, amateur spysware removers can cause more problems than they fix. Great if it works for them.

 

Thanks for the info. The last one with Protocol info is pointing in a direction to follow.

 

Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.

 

regedit /e reginfo.txt "HKEY_CLASSES_ROOT\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
Start notepad.exe reginfo.txt
exit

 

Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

 

Copy and paste the contents of that entire file in this thread.

 

 

Also, could you please zip and email C:\WINDOWS\secure.html to me please.

 

Mail to: Submit@LoPhatPhuud.com

Share this post


Link to post
Share on other sites

Heres the log it made -

 

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}]

@="WebView MIME Filter"

 

[HKEY_CLASSES_ROOT\CLSID\{733AC4CB-F1A4-11d0-B951-00A0C90312E1}\InProcServer32]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,48,00,\

45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

"ThreadingModel"="Apartment"

 

 

 

File on its way now. Demus

Edited by Demus

Share this post


Link to post
Share on other sites

I gotta head to bed. Will check for new replies on waking (bout 8 hours from now)

 

Thanks again for all the help so far :)

 

Demus

Share this post


Link to post
Share on other sites

Got the file and thanks. One other thing to run for me, please. Also, I will be tied up in the morning so it may be until mid-afternoon before I am online. That about 14 hours from the time of this post.

 

 

Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat.

 

regedit /e reginfo.txt "HKEY_CLASSES_ROOT\CLSID\{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}"
Start notepad.exe reginfo.txt
exit

 

Double-click on the reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

 

Copy and paste the contents of that entire file in this thread.

Share this post


Link to post
Share on other sites

While you are doing that, try this too.

 

Download this file:

www.zerosrealm.com/downloads/pv.zip

 

Unzip to the desktop (It will create its own folder)

 

Open the PV folder and double click on runme.bat

 

Select Option 2 and post the log in this thread.

 

Run runme.bat again and Select Option 8 then Option 4 and post the log in this thread.

 

IP: [ 68.35.76.11 ]

Share this post


Link to post
Share on other sites

Log from latest reginfo.bat -

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}]

 

[HKEY_CLASSES_ROOT\CLSID\{5BBA954B-0B74-4CCA-B565-0E86B3B9EB6F}\InProcServer32]

@="C:\\WINDOWS\\System32\\npeekca.dll"

"ThreadingModel"="Apartment"

 

 

The second thing i believe i already did? Ill do it again if you want though?

 

Demus

Share this post


Link to post
Share on other sites

OK, we are making progress:

 

First:

Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

 

REGEDIT4

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

 

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

 

 

Second:

Please Zip and email this file to me: C:\WINDOWS\System32\npeekca.dll

email address: Submit AT LoPhatPhuud.com (replace AT with @)

 

Then Boot into safe mode and delete this file:

C:\WINDOWS\System32\npeekca.dll

 

Reboot in Normal Mode

 

 

Third:

Run HiJackThis

 

Check the following Items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

 

Close all open windows except HiJackThis and press 'Fix Checked'

 

 

Fourth:

Reboot

 

Run HiJackThis and post a new log in this thead.

Share this post


Link to post
Share on other sites

Npeekca.dll doesnt appear to exist, ive searched through the folder you say it should be in and no luck, running a full windows search for it now.

 

Demus

Share this post


Link to post
Share on other sites

OK, then do all the other steps and post a new HiJackThis log.

 

Also run PV again uisng Option 8, Option 4 and post log

Share this post


Link to post
Share on other sites

Done the registry thing, and cleared out the stuff on Hijack this. Heres the Hijack this log -

 

 

Logfile of HijackThis v1.97.7

Scan saved at 02:10:40, on 03/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Stevens games\Games\NWN\nwmain.exe

C:\Stevens games\Hijack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.3276388889

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

 

 

 

 

And the registry log

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\FILTER\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

 

Demus

Edited by Demus

Share this post


Link to post
Share on other sites

OK, progress, I think.

 

Check the following items in HiJackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

 

Close all open windows and press 'Fix Checked'

 

Reboot.

 

Please post another HiJackThis Log in this thread.

Share this post


Link to post
Share on other sites

Just replicated again. Heres the log, identical to the last :(

 

 

Logfile of HijackThis v1.97.7

Scan saved at 02:54:13, on 03/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Stevens games\Hijack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.3276388889

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

 

 

Demus

Share this post


Link to post
Share on other sites

Two things to dol

First, download and install the new version of HiJackThis:

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Run it and post a new log in this thread. It has additional information.

 

Then:

Download FindnFix.exe from here:

http://freeatlast100.100free.com/index.html or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

Share this post


Link to post
Share on other sites

Hijack this log -

 

 

Logfile of HijackThis v1.98.0

Scan saved at 20:43:38, on 04/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Stevens games\Games\NWN\nwmain.exe

C:\Stevens games\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\msref.dll

O21 - SSODL: System - {BA2486D7-FE06-4F59-A9D8-A96B49F4605D} - C:\WINDOWS\system32\system32.dll

 

 

 

Other to follow shortly, have to do a few things before i can close all my windows down

 

Thanks again, Demus

Share this post


Link to post
Share on other sites

OK, I will hold off replying until the log for FindnFix is posted.

Share this post


Link to post
Share on other sites

Sorry it took so long, few things came up. So, finally, heres the log :)

 

 

 

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167

The type of the file system is NTFS.

C: is not dirty.

 

05/07/2004

4:32am up 1 day, 11:48

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

 

»»»»»(***5***)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs =

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group XP\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Notepad check....

 

C:\WINDOWS\

notepad.exe Sat 18 Aug 2001 13:00:00 A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

 

No matches found.

 

C:\WINDOWS\SYSTEM32\DLLCACHE\

notepad.exe Sat 18 Aug 2001 13:00:00 A.... 66,048 64.50 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 66,048 bytes 64.50 K

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe

Language 0x0409 (English (United States))

CharSet 0x04b0 Unicode

OleSelfRegister Disabled

CompanyName Microsoft Corporation

FileDescription Notepad

InternalName Notepad

OriginalFilenam NOTEPAD.EXE

ProductName Microsoft® Windows® Operating System

ProductVersion 5.1.2600.0

FileVersion 5.1.2600.0 (xpclient.010817-1148)

LegalCopyright © Microsoft Corporation. All rights reserved.

 

VS_FIXEDFILEINFO:

Signature: feef04bd

Struc Ver: 00010000

FileVer: 00050001:0a280000 (5.1:2600.0)

ProdVer: 00050001:0a280000 (5.1:2600.0)

FlagMask: 0000003f

Flags: 00000000

OS: 00040004 NT Win32

FileType: 00000001 App

SubType: 00000000

FileDate: 00000000:00000000

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x XP\Steven

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: XP\Steven

 

Primary Group: XP\None

 

 

 

»»»»»»Backups created...»»»»»»

4:33am up 1 day, 11:50

05/07/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 07-05-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-05-2004 winkey.reg

 

»»Performing 16bit string scan....

00001150: vk f AppInit_DLLs G

00001190: h vk UDeviceNotSelectedTimeout 1 5

000011D0: P 9 0 vk ' zGDIProcessHandle

00001210:Quota" vk 8 Spooler2 y e s _ h

00001250: ` vk 5swapdisk vk

00001290: . TransmissionRetryTimeout h `

000012D0: vk ' USERProcessHandleQuota,

00001310:

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

 

**File C:\FINDnFIX\WIN.TXT

regf

 

 

 

 

and the other, if theres a way to attatch i cant find, and it doesnt seem to copy, should i send you it instead?

 

Demus (*now going to bed*)

Share this post


Link to post
Share on other sites

First:

Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

 

REGEDIT4

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

 

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

 

 

Second:

Launch Notepad, and copy/paste the bold below into a new text file.

Save it as fixsearch.reg (Change the 'Save As Type' to 'All Files').

Save it in C:\

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Locate it (in C:\) and double-click on it (launch it).

You'll receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".

 

Reboot.

 

 

Third:

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

O21 - SSODL: System - {BA2486D7-FE06-4F59-A9D8-A96B49F4605D} - C:\WINDOWS\system32\system32.dll

 

 

 

 

Close all windows except HijackThis and click Fix checked.

 

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\WINDOWS\system32\system32.dll

 

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

**Show Hidden and System files and folders

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

 

Reboot in normal mode.

 

 

HiJackThis version 198.0 is now available.

If you do already have it installed, download it from here:

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Then run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Oooooooooooooo it might even be gone!! :D

 

The log you requested, and it also opens IE to the right page now!

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 18:40:09, on 05/07/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Stevens games\Hijack This\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Stevens games\Yahoo\Messenger\yhexbmes0819.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://194.105.69.101/dpec/shared/cabs/awswaxf.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS2\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS3\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS4\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS5\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS6\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS7\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS8\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O17 - HKLM\System\CS9\Services\Tcpip\..\{445BB474-5821-4C7F-9577-586EE34076F9}: NameServer = 192.168.1.1,0.0.0.0

O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\msref.dll

 

 

 

 

Thanks!

 

Demus

Share this post


Link to post
Share on other sites

Demus,

 

We can certainly hope that we have it. I will leave this thread open for the time being in the event it comes back. I don;t think it will though.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0