Jump to content


Photo

Daemon - - a new problem


  • Please log in to reply
13 replies to this topic

#1 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 26 May 2004 - 01:48 PM

Daemon, I hope all is going well with you. I have been free of problems since you helped me a couple of weeks ago. I have hardly used my browser and have visited only secure sites. I was stunned this morning when I clicked on my broswer and was redirected to a porn home page. I ran cw shredder again and it said there were no problems. My hijack this file is set forth below. Why would my browser reset? There must be something hidden in my computer because I am certain since our last fix that I have not accessed any web site that could have triggered this hijack. I did get a virus notice this morning from Postini (the service that monitors incoming email for viruses). It looked to be related to another loveletter email, but I cannot see how that could have any effect since I did not open anything. Please help!!

Logfile of HijackThis v1.97.7
Scan saved at 11:40:07 AM, on 5/26/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\NSM\client32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\pmsvc.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\SYSTEM32\NALWIN32.EXE
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Office\Office10\Outlook.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = phx-as-ntproxy1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inside.quarles.com;192.168.2.3
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inside.quarles.com/
F1 - win.ini: load=launch.cmd
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [WSInst] C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 26 May 2004 - 04:09 PM

Hmmm...this one is hot off the press. Could you post a startuplist log (config>misc tools and check the two boxes under the button).
Posted Image

#3 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 26 May 2004 - 06:27 PM

Daemon, thanks for your help again! The hijackthis startuplist is below.

StartupList report, 5/26/04, 4:25:26 PM
StartupList version: 1.52
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\NSM\client32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\pmsvc.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\SYSTEM32\NALWIN32.EXE
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Office\Office10\Outlook.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\iManage\Manage32.exe
C:\Program Files\Corel\WP8\Programs\wpwin8.exe
C:\Program Files\Corel\WP8\Programs\ps80.exe
C:\Program Files\Plus!\Microsoft Internet\Iexplore.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]
Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit,nddeagnt.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
NWTRAY = NWTRAY.EXE
vptray = C:\Program Files\Navnt\vptray.exe
BrowserWebCheck = loadwc.exe
RightFAX Print-to-Fax Driver = C:\Program Files\RightFax\faxctrl.exe
WSInst = C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2
SchedulingAgent = mstinit.exe /logon

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=
run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=launch.cmd
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry key not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[WScanCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/t...nfo/webscan.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.dll
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 6,118 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#4 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 26 May 2004 - 06:29 PM

Oops, I did not check the two boxes on my last reply. The following startuplist was generated after checking the two boxes.

StartupList report, 5/26/04, 4:28:14 PM
StartupList version: 1.52
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\NSM\client32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\pmsvc.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\SYSTEM32\NALWIN32.EXE
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Office\Office10\Outlook.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\iManage\Manage32.exe
C:\Program Files\Corel\WP8\Programs\wpwin8.exe
C:\Program Files\Corel\WP8\Programs\ps80.exe
C:\Program Files\Plus!\Microsoft Internet\Iexplore.exe
C:\HijackThis\HijackThis.exe
C:\WINNT\System32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINNT\Profiles\rsb\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]
Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit,nddeagnt.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
NWTRAY = NWTRAY.EXE
vptray = C:\Program Files\Navnt\vptray.exe
BrowserWebCheck = loadwc.exe
RightFAX Print-to-Fax Driver = C:\Program Files\RightFax\faxctrl.exe
WSInst = C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2
SchedulingAgent = mstinit.exe /logon

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie5x86.inf,PerUserStub

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\icw.inf,PerUserStub,,36

[{6295DF27-35EE-11d1-8707-00C04FD93327}] *
StubPath = rundll32.exe %SystemRoot%\System32\mobsync.dll,RunDllRegister /p

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=
run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=launch.cmd
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry key not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: *Registry key not found*
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[WScanCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/t...nfo/webscan.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.dll
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\system32\netware\NWWS2NDS.DLL
NameSpace #3: C:\WINNT\system32\netware\NWWS2SAP.DLL
NameSpace #4: C:\WINNT\system32\netware\NWWS2SLP.DLL
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\msafd.dll
Protocol #5: C:\WINNT\system32\msafd.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
atapi: System32\DRIVERS\atapi.sys (system)
Broadcom NetXtreme Gigabit Ethernet: \SystemRoot\System32\drivers\B57NT4.sys (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Client32: C:\NSM\client32.exe /* * (autostart)
ClipBook Server: %SystemRoot%\system32\clipsrv.exe (manual start)
DefWatch: C:\Program Files\NavNT\defwatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
EventLog: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\esserver.exe (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt4.sys (system)
ialmp: System32\DRIVERS\pmaware.sys (system)
Intel® 82865G Graphics Controller Power Management: %SystemRoot%\System32\pmsvc.exe (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
Mup: \SystemRoot\System32\drivers\mup.sys (manual start)
Novell Application Launcher: C:\WINNT\System32\NALNTSRV.EXE (autostart)
NAVAP: \??\C:\Program Files\NavNT\NAVAP.sys (manual start)
NAVAPEL: \??\C:\PROGRA~1\NavNT\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040519.021\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040519.021\NAVEX15.sys (manual start)
NetBIOS Interface: \SystemRoot\System32\drivers\netbios.sys (manual start)
WINS Client(TCP/IP): \SystemRoot\System32\drivers\netbt.sys (autostart)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Novell Client for Windows NT: \SystemRoot\System32\NetWare\nwfs.sys (autostart)
Novell InterService Communication Driver: \SystemRoot\System32\drivers\nicm.sys (system)
NIC Management Service Configuration Driver: \??\C:\WINNT\System32\drivers\NMSCFG.SYS (manual start)
Intel® NMS: C:\WINNT\System32\NMSSvc.exe (autostart)
Norton AntiVirus Client: C:\Program Files\NavNT\rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\SERVICES.EXE (manual start)
Novell DHCP Inform Client: \SystemRoot\System32\NetWare\nwdhcp.sys (autostart)
Novell DNS Name Space Service Provider: \SystemRoot\System32\NetWare\nwdns.sys (manual start)
Novell Host File Name Space Service Provider: \SystemRoot\System32\NetWare\nwhost.sys (manual start)
NWLink IPX/SPX Compatible Transport Protocol: \SystemRoot\System32\drivers\nwlnkipx.sys (autostart)
NWLink NetBIOS: \SystemRoot\System32\drivers\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: \SystemRoot\System32\drivers\nwlnkspx.sys (manual start)
Novell SAP Name Space Service Provider: \SystemRoot\System32\NetWare\nwsap.sys (manual start)
Novell IPX/SPX Transport Interface: \SystemRoot\System32\NetWare\nwsipx32.sys (autostart)
Novell SLP Name Space Service Provider: \SystemRoot\System32\NetWare\nwslp.sys (manual start)
Novell Simple Naming Services: \SystemRoot\System32\NetWare\nwsns.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PrismXL: C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (autostart)
Protected Storage: c:\winnt\system32\pstores.exe (autostart)
Rdr: \SystemRoot\System32\drivers\rdr.sys (manual start)
Directory Replicator: %SystemRoot%\System32\lmrepl.exe (manual start)
Novell Resource Manager: \SystemRoot\System32\NetWare\resmgr.sys (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\LOCATOR.EXE (manual start)
Remote Procedure Call (RPC) Service: %SystemRoot%\system32\RpcSs.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
System Event Notification: C:\WINNT\System32\SENS.EXE (manual start)
SMNT40: \SystemRoot\System32\drivers\SMNT40.SYS (system)
Spooler: %SystemRoot%\system32\spoolss.exe (autostart)
Srv: \SystemRoot\System32\drivers\srv.sys (manual start)
Novell Service Location: \SystemRoot\System32\NetWare\srvloc.sys (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Telephony Service: %SystemRoot%\system32\tapisrv.exe (manual start)
TCP/IP Service: \SystemRoot\System32\drivers\tcpip.sys (autostart)
Tdi: \SystemRoot\System32\drivers\TDI.sys (system)
UPS: %SystemRoot%\System32\ups.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VgaStart: \SystemRoot\System32\drivers\vga.sys (system)
Novell Workstation Manager: %SystemRoot%\System32\wm.exe (autostart)
{02FCD261-7775-11D5-81D0-0008C76212F8}: System32\Drivers\a309.sys (manual start)
{24050028-D1E3-49FA-88A4-2B7F41AB023C}: System32\Drivers\a304.sys (manual start)
{320CDAE1-3A7B-11d6-AEC5-00104B672758}: System32\Drivers\a313.sys (manual start)
{40867A83-9E92-474c-A921-20AA73EAE42F}: System32\Drivers\a303.sys (manual start)
{5C8B2B62-A385-11d5-A78B-00104B672758}: System32\Drivers\a311.sys (manual start)
{5C8B2B65-A385-11d5-A78B-00104B672758}: System32\Drivers\%Ch7017BName% (manual start)
{6D08DE66-D457-4d38-A7F5-D88CCB81EE00}: System32\Drivers\a305.sys (manual start)
{6D08DE67-D457-4d38-A7F5-D88CCB81EE00}: System32\Drivers\a306.sys (manual start)
{A7E39B01-B403-11d4-BD18-00D0B7A1821E}: System32\Drivers\Vch.sys (manual start)
{BAEE00C0-028A-11d5-8222-000347433250}: System32\Drivers\a307.sys (manual start)
{E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}: System32\Drivers\a301.sys (manual start)
{E2B953A7-195A-44F9-9BA3-3D5F4E32BB55}: System32\Drivers\a301.sys (manual start)
{E6759E0C-470B-44DC-A4A1-627E68BB3A85}: System32\Drivers\a302.sys (manual start)
{FE3AC900-723B-11d5-A8DE-000002005D88}: System32\Drivers\a308.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 23,389 bytes
Report generated in 0.110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 May 2004 - 12:14 PM

OK try this. Reboot into Safe Mode by tapping F8 after the BIOS has loaded, find and delete the following folder:

C:/spad

Then open up HJT, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
[/URL]

Reboot back into normal mode, rescan with HJT and post a new log.
Posted Image

#6 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 27 May 2004 - 05:56 PM

Daemon, my lack of computer expertise shows here. I am not really sure what "safe" mode is. I tried once before to reboot in safe mode as part of a fix you had suggested, but was not able to do so. I tried to push F8 at several stages during log on, but nothing ever happened. I have noted that when my computer logs on, it gives me three options before loading my novell delivered applications - - F9 for the boot menu, F10 for the setup, and F12 for network service boot. If you could give me a bit more guidance on this step, I would appreciate it.

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 28 May 2004 - 01:27 AM

Try this instead.

Down load the file attached to this post and save it to the desktop. When done double-click the myex.reg when asked to merge say yes.

Reboot. Using File Manager, find and delete these files if there:

HPCMDTY.DLL
c_10230.dll
crt32_v2.dll
crt2_v32.dll
C:\spad <-- whole folder

Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage

Reboot when done, rescan with HJT and post a new log here for a final check over.

Attached Files


Posted Image

#8 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 28 May 2004 - 10:06 AM

Daemon, my new log is set forth below. A couple of problems occurred with your proposed fix and I am not sure if they are material. First, when I downloaded the myex.reg file, I did not receive any prompt asking me to merge. Instead, I received a window saying that it had been successfully entered onto my registry. Second, once I rebooted, I looked for "File Manager", but I am not sure I have it. I searched using the "explore" key that appears when you right click on the "start" button, and opened WINN/SYS32. In there, I found and deleted HPCMDTY.DLL and crt32_v2.dll. I could not find c_10230.dll or crt2_32.dll. I then went into one of my program folders and found c:\spad and deleted the entire file folder. I then went into spybot tools and changed all of my internet settings before I ran hijack this. Once I did so and then ran the hijack this log below, it appeared as though all of the items you wanted me to fix using hijack this had been corrected by my changing the internet settings in spybot. Consequently, I did not delete anything in hijack this, but simply ran the log file below. I am cautiously optimistic, as my browser now seems to work again. That being said, this C:spad thing has me spooked. I have no idea where it could have come from. I think it must have been a remnant from our prior fix. Is this a file that wouldn't show up any of the scans (like PandaScan or Housecall)? Anyway, thanks again for your help!

Logfile of HijackThis v1.97.7
Scan saved at 7:53:01 AM, on 5/28/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\NSM\client32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\pmsvc.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\SYSTEM32\NALWIN32.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = phx-as-ntproxy1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inside.quarles.com;192.168.2.3
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inside.quarles.com/
F1 - win.ini: load=launch.cmd
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [WSInst] C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 28 May 2004 - 02:15 PM

Looks like you are OK now. How is it running now?
Posted Image

#10 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 28 May 2004 - 02:42 PM

Daemon, everything is running good again. Thanks for your help! I'm just curious - - do you think that c:/spad was a remnant from the problems of a month or so ago or do you think I picked it up somewhere a few days ago. I have only accessed what I think are safe sites since we completed the fix a few weeks ago, so if it something I just picked up, I am concerned about what else I can do to avoid the problem again. If it was a remnant, hopefully it was the last one!

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 28 May 2004 - 05:07 PM

It was new, not sure how you picked it up yet. Did I give you this link last time:

So how did I get infected in the first place?
Posted Image

#12 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 01 June 2004 - 10:18 AM

Daemon, I downloaded and installed two of the spyguard programs that you sent to me. However, there is still something lurking in my computer. This morning, I connected to the Drudge Report (a fairly popular US political website), and from there connected to a link for an astronomy story on a new planet sighting. When I did so, I got a porn pop up that was the same as the homepage that I was getting when the c:\spad had hijacked my browser. Fortunately, my browser settings seem to be intact and no hijack occurred. It strikes me that I may have been surfing the Drudge Report a week or so ago when I got the c:\spad in the first place. However, I can't believe there is a problem with the website, as I know that thousands of people access it everyday and I have never had any past problems. Any ideas on why I still have this problem?

#13 Huskerfan

Huskerfan

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 08 June 2004 - 10:12 AM

Daemon, hope all is well and I hope you are still monitoring this post. I am still having one problem. I think it is a remnant of my past troubles. Sometime when I switch websites, I am redirected to a porn site. I have only accessed safe websites, but I have this problem about once every day or two. It seems to occur on a random basis, and it does not seem to apply to any particular websites. I just noticed this morning that what appeared to be an American Express popup ad seemed to change in mid stream and became a porn pop up followed by a new porn page. Fortunately, none of this is affecting my computer settings any more. (At least I don't think that it is.) The porn site I was transferred to was http://www.your-daily-pics.com. The site properties also had a reference to myexexex.com after the main site reference. (Recall that we had lots of myexexex components from the c:\spad bug.) I have added these to the restricted sites on my settings. I also added zedo.com as a restricted site. I think this is the site for the Amex popup, but it is the only other item shown in my history that could be the other popup, so I blocked it. A new hijack this log is attached below. Any idea on why this still occurs?

Logfile of HijackThis v1.97.7
Scan saved at 8:02:40 AM, on 6/8/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\NSM\client32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\pmsvc.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\NMSSvc.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\loadwc.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINNT\KDX\KHOST.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINNT\System32\ddhelp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\SYSTEM32\NALWIN32.EXE
C:\TEMP\pomi.dat
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.quarles.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = phx-as-ntproxy1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inside.quarles.com;192.168.2.3
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inside.quarles.com/
F1 - win.ini: load=launch.cmd
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [WSInst] C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [kdx] C:\WINNT\KDX\KHOST.EXE
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 08 June 2004 - 01:05 PM

Yes, have HJT fix these entries then you should be OK:

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)


Reboot when done. Let me know.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button