• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Huskerfan

Daemon - - a new problem

14 posts in this topic

Daemon, I hope all is going well with you. I have been free of problems since you helped me a couple of weeks ago. I have hardly used my browser and have visited only secure sites. I was stunned this morning when I clicked on my broswer and was redirected to a porn home page. I ran cw shredder again and it said there were no problems. My hijack this file is set forth below. Why would my browser reset? There must be something hidden in my computer because I am certain since our last fix that I have not accessed any web site that could have triggered this hijack. I did get a virus notice this morning from Postini (the service that monitors incoming email for viruses). It looked to be related to another loveletter email, but I cannot see how that could have any effect since I did not open anything. Please help!!

 

Logfile of HijackThis v1.97.7

Scan saved at 11:40:07 AM, on 5/26/04

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\spoolss.exe

C:\NSM\client32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\pmsvc.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\RpcSs.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\NMSSvc.exe

c:\winnt\system32\pstores.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\nddeagnt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\SysTray.Exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\NWTRAY.EXE

C:\Program Files\Navnt\vptray.exe

C:\WINNT\System32\loadwc.exe

C:\Program Files\RightFax\faxctrl.exe

C:\WINNT\system32\ntvdm.exe

C:\WINNT\SYSTEM32\NALWIN32.EXE

C:\WINNT\System32\ddhelp.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\Program Files\Microsoft Office\Office10\Outlook.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = phx-as-ntproxy1:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inside.quarles.com;192.168.2.3

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inside.quarles.com/

F1 - win.ini: load=launch.cmd

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe

O4 - HKLM\..\Run: [browserWebCheck] loadwc.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe

O4 - HKLM\..\Run: [WSInst] C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2

O4 - HKLM\..\Run: [schedulingAgent] mstinit.exe /logon

O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hmmm...this one is hot off the press. Could you post a startuplist log (config>misc tools and check the two boxes under the button).

Share this post


Link to post
Share on other sites

Daemon, thanks for your help again! The hijackthis startuplist is below.

 

StartupList report, 5/26/04, 4:25:26 PM

StartupList version: 1.52

Started from : C:\HijackThis\HijackThis.EXE

Detected: Windows NT 4 SP6 (WinNT 4.00.1381)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\spoolss.exe

C:\NSM\client32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\pmsvc.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\RpcSs.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\NMSSvc.exe

c:\winnt\system32\pstores.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\nddeagnt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\SysTray.Exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\NWTRAY.EXE

C:\Program Files\Navnt\vptray.exe

C:\WINNT\System32\loadwc.exe

C:\Program Files\RightFax\faxctrl.exe

C:\WINNT\system32\ntvdm.exe

C:\WINNT\SYSTEM32\NALWIN32.EXE

C:\WINNT\System32\ddhelp.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\Program Files\Microsoft Office\Office10\Outlook.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe

C:\Program Files\iManage\Manage32.exe

C:\Program Files\Corel\WP8\Programs\wpwin8.exe

C:\Program Files\Corel\WP8\Programs\ps80.exe

C:\Program Files\Plus!\Microsoft Internet\Iexplore.exe

C:\HijackThis\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]

Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = userinit,nddeagnt.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SystemTray = SysTray.Exe

HotKeysCmds = C:\WINNT\System32\hkcmd.exe

NWTRAY = NWTRAY.EXE

vptray = C:\Program Files\Navnt\vptray.exe

BrowserWebCheck = loadwc.exe

RightFAX Print-to-Fax Driver = C:\Program Files\RightFax\faxctrl.exe

WSInst = C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2

SchedulingAgent = mstinit.exe /logon

 

--------------------------------------------------

 

Load/Run keys from C:\WINNT\WIN.INI:

 

load=

run=

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=launch.cmd

HKCU\..\Windows NT\CurrentVersion\Windows: run=

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry key not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

 

[HouseCall Control]

InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

 

[WScanCtl Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\webscan.dll

CODEBASE = http://www3.ca.com/threatinfo/virusinfo/webscan.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll

CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[CV3 Class]

InProcServer32 = C:\WINNT\System32\wuv3is.dll

CODEBASE = http://windowsupdate.microsoft.com/R1150/V...en/actsetup.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

WebCheck: C:\WINNT\System32\webcheck.dll

 

--------------------------------------------------

End of report, 6,118 bytes

Report generated in 0.094 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Oops, I did not check the two boxes on my last reply. The following startuplist was generated after checking the two boxes.

 

StartupList report, 5/26/04, 4:28:14 PM

StartupList version: 1.52

Started from : C:\HijackThis\HijackThis.EXE

Detected: Windows NT 4 SP6 (WinNT 4.00.1381)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\spoolss.exe

C:\NSM\client32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\pmsvc.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\RpcSs.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\NMSSvc.exe

c:\winnt\system32\pstores.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\nddeagnt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\SysTray.Exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\NWTRAY.EXE

C:\Program Files\Navnt\vptray.exe

C:\WINNT\System32\loadwc.exe

C:\Program Files\RightFax\faxctrl.exe

C:\WINNT\system32\ntvdm.exe

C:\WINNT\SYSTEM32\NALWIN32.EXE

C:\WINNT\System32\ddhelp.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\Program Files\Microsoft Office\Office10\Outlook.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe

C:\Program Files\iManage\Manage32.exe

C:\Program Files\Corel\WP8\Programs\wpwin8.exe

C:\Program Files\Corel\WP8\Programs\ps80.exe

C:\Program Files\Plus!\Microsoft Internet\Iexplore.exe

C:\HijackThis\HijackThis.exe

C:\WINNT\System32\notepad.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\WINNT\Profiles\rsb\Start Menu\Programs\Startup]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]

Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = userinit,nddeagnt.exe

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SystemTray = SysTray.Exe

HotKeysCmds = C:\WINNT\System32\hkcmd.exe

NWTRAY = NWTRAY.EXE

vptray = C:\Program Files\Navnt\vptray.exe

BrowserWebCheck = loadwc.exe

RightFAX Print-to-Fax Driver = C:\Program Files\RightFax\faxctrl.exe

WSInst = C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2

SchedulingAgent = mstinit.exe /logon

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie5x86.inf,PerUserStub

 

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\icw.inf,PerUserStub,,36

 

[{6295DF27-35EE-11d1-8707-00C04FD93327}] *

StubPath = rundll32.exe %SystemRoot%\System32\mobsync.dll,RunDllRegister /p

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

 

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *

StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINNT\WIN.INI:

 

load=

run=

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=launch.cmd

HKCU\..\Windows NT\CurrentVersion\Windows: run=

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry key not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINNT\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINNT\Explorer\Explorer.exe: not present

C:\WINNT\System\Explorer.exe: not present

C:\WINNT\System32\Explorer.exe: not present

C:\WINNT\Command\Explorer.exe: not present

C:\WINNT\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: *Registry key not found*

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINNT

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

*No jobs found*

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[DirectAnimation Java Classes]

CODEBASE = file://C:\WINNT\dajava.cab

OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

 

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab

OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[{32564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8ax.cab

 

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

 

[HouseCall Control]

InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

 

[WScanCtl Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\webscan.dll

CODEBASE = http://www3.ca.com/threatinfo/virusinfo/webscan.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll

CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[CV3 Class]

InProcServer32 = C:\WINNT\System32\wuv3is.dll

CODEBASE = http://windowsupdate.microsoft.com/R1150/V...en/actsetup.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINNT\System32\rnr20.dll

NameSpace #2: C:\WINNT\system32\netware\NWWS2NDS.DLL

NameSpace #3: C:\WINNT\system32\netware\NWWS2SAP.DLL

NameSpace #4: C:\WINNT\system32\netware\NWWS2SLP.DLL

Protocol #1: C:\WINNT\system32\msafd.dll

Protocol #2: C:\WINNT\system32\msafd.dll

Protocol #3: C:\WINNT\system32\msafd.dll

Protocol #4: C:\WINNT\system32\msafd.dll

Protocol #5: C:\WINNT\system32\msafd.dll

Protocol #6: C:\WINNT\system32\msafd.dll

Protocol #7: C:\WINNT\system32\msafd.dll

Protocol #8: C:\WINNT\system32\msafd.dll

Protocol #9: C:\WINNT\system32\msafd.dll

Protocol #10: C:\WINNT\system32\msafd.dll

Protocol #11: C:\WINNT\system32\msafd.dll

Protocol #12: C:\WINNT\system32\msafd.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Alerter: %SystemRoot%\System32\services.exe (manual start)

atapi: System32\DRIVERS\atapi.sys (system)

Broadcom NetXtreme Gigabit Ethernet: \SystemRoot\System32\drivers\B57NT4.sys (autostart)

Computer Browser: %SystemRoot%\System32\services.exe (autostart)

Client32: C:\NSM\client32.exe /* * (autostart)

ClipBook Server: %SystemRoot%\system32\clipsrv.exe (manual start)

DefWatch: C:\Program Files\NavNT\defwatch.exe (autostart)

DHCP Client: %SystemRoot%\System32\services.exe (autostart)

EventLog: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINNT\System32\esserver.exe (manual start)

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)

ialm: System32\DRIVERS\ialmnt4.sys (system)

ialmp: System32\DRIVERS\pmaware.sys (system)

Intel® 82865G Graphics Controller Power Management: %SystemRoot%\System32\pmsvc.exe (autostart)

Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)

Server: %SystemRoot%\System32\services.exe (autostart)

Workstation: %SystemRoot%\System32\services.exe (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\System32\services.exe (autostart)

Messenger: %SystemRoot%\System32\services.exe (autostart)

NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)

Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)

Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)

Mup: \SystemRoot\System32\drivers\mup.sys (manual start)

Novell Application Launcher: C:\WINNT\System32\NALNTSRV.EXE (autostart)

NAVAP: \??\C:\Program Files\NavNT\NAVAP.sys (manual start)

NAVAPEL: \??\C:\PROGRA~1\NavNT\NAVAPEL.SYS (autostart)

NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040519.021\NAVENG.sys (manual start)

NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040519.021\NAVEX15.sys (manual start)

NetBIOS Interface: \SystemRoot\System32\drivers\netbios.sys (manual start)

WINS Client(TCP/IP): \SystemRoot\System32\drivers\netbt.sys (autostart)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (autostart)

Novell Client for Windows NT: \SystemRoot\System32\NetWare\nwfs.sys (autostart)

Novell InterService Communication Driver: \SystemRoot\System32\drivers\nicm.sys (system)

NIC Management Service Configuration Driver: \??\C:\WINNT\System32\drivers\NMSCFG.SYS (manual start)

Intel® NMS: C:\WINNT\System32\NMSSvc.exe (autostart)

Norton AntiVirus Client: C:\Program Files\NavNT\rtvscan.exe (autostart)

NT LM Security Support Provider: %SystemRoot%\System32\SERVICES.EXE (manual start)

Novell DHCP Inform Client: \SystemRoot\System32\NetWare\nwdhcp.sys (autostart)

Novell DNS Name Space Service Provider: \SystemRoot\System32\NetWare\nwdns.sys (manual start)

Novell Host File Name Space Service Provider: \SystemRoot\System32\NetWare\nwhost.sys (manual start)

NWLink IPX/SPX Compatible Transport Protocol: \SystemRoot\System32\drivers\nwlnkipx.sys (autostart)

NWLink NetBIOS: \SystemRoot\System32\drivers\nwlnknb.sys (autostart)

NWLink SPX/SPXII Protocol: \SystemRoot\System32\drivers\nwlnkspx.sys (manual start)

Novell SAP Name Space Service Provider: \SystemRoot\System32\NetWare\nwsap.sys (manual start)

Novell IPX/SPX Transport Interface: \SystemRoot\System32\NetWare\nwsipx32.sys (autostart)

Novell SLP Name Space Service Provider: \SystemRoot\System32\NetWare\nwslp.sys (manual start)

Novell Simple Naming Services: \SystemRoot\System32\NetWare\nwsns.sys (manual start)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

PrismXL: C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (autostart)

Protected Storage: c:\winnt\system32\pstores.exe (autostart)

Rdr: \SystemRoot\System32\drivers\rdr.sys (manual start)

Directory Replicator: %SystemRoot%\System32\lmrepl.exe (manual start)

Novell Resource Manager: \SystemRoot\System32\NetWare\resmgr.sys (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\LOCATOR.EXE (manual start)

Remote Procedure Call (RPC) Service: %SystemRoot%\system32\RpcSs.exe (autostart)

Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)

System Event Notification: C:\WINNT\System32\SENS.EXE (manual start)

SMNT40: \SystemRoot\System32\drivers\SMNT40.SYS (system)

Spooler: %SystemRoot%\system32\spoolss.exe (autostart)

Srv: \SystemRoot\System32\drivers\srv.sys (manual start)

Novell Service Location: \SystemRoot\System32\NetWare\srvloc.sys (autostart)

SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)

Telephony Service: %SystemRoot%\system32\tapisrv.exe (manual start)

TCP/IP Service: \SystemRoot\System32\drivers\tcpip.sys (autostart)

Tdi: \SystemRoot\System32\drivers\TDI.sys (system)

UPS: %SystemRoot%\System32\ups.exe (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

VgaStart: \SystemRoot\System32\drivers\vga.sys (system)

Novell Workstation Manager: %SystemRoot%\System32\wm.exe (autostart)

{02FCD261-7775-11D5-81D0-0008C76212F8}: System32\Drivers\a309.sys (manual start)

{24050028-D1E3-49FA-88A4-2B7F41AB023C}: System32\Drivers\a304.sys (manual start)

{320CDAE1-3A7B-11d6-AEC5-00104B672758}: System32\Drivers\a313.sys (manual start)

{40867A83-9E92-474c-A921-20AA73EAE42F}: System32\Drivers\a303.sys (manual start)

{5C8B2B62-A385-11d5-A78B-00104B672758}: System32\Drivers\a311.sys (manual start)

{5C8B2B65-A385-11d5-A78B-00104B672758}: System32\Drivers\%Ch7017BName% (manual start)

{6D08DE66-D457-4d38-A7F5-D88CCB81EE00}: System32\Drivers\a305.sys (manual start)

{6D08DE67-D457-4d38-A7F5-D88CCB81EE00}: System32\Drivers\a306.sys (manual start)

{A7E39B01-B403-11d4-BD18-00D0B7A1821E}: System32\Drivers\Vch.sys (manual start)

{BAEE00C0-028A-11d5-8222-000347433250}: System32\Drivers\a307.sys (manual start)

{E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}: System32\Drivers\a301.sys (manual start)

{E2B953A7-195A-44F9-9BA3-3D5F4E32BB55}: System32\Drivers\a301.sys (manual start)

{E6759E0C-470B-44DC-A4A1-627E68BB3A85}: System32\Drivers\a302.sys (manual start)

{FE3AC900-723B-11d5-A8DE-000002005D88}: System32\Drivers\a308.sys (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

WebCheck: C:\WINNT\System32\webcheck.dll

 

--------------------------------------------------

End of report, 23,389 bytes

Report generated in 0.110 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

OK try this. Reboot into Safe Mode by tapping F8 after the BIOS has loaded, find and delete the following folder:

 

C:/spad

 

Then open up HJT, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

[/url]

 

Reboot back into normal mode, rescan with HJT and post a new log.

Share this post


Link to post
Share on other sites

Daemon, my lack of computer expertise shows here. I am not really sure what "safe" mode is. I tried once before to reboot in safe mode as part of a fix you had suggested, but was not able to do so. I tried to push F8 at several stages during log on, but nothing ever happened. I have noted that when my computer logs on, it gives me three options before loading my novell delivered applications - - F9 for the boot menu, F10 for the setup, and F12 for network service boot. If you could give me a bit more guidance on this step, I would appreciate it.

Share this post


Link to post
Share on other sites

Try this instead.

 

Down load the file attached to this post and save it to the desktop. When done double-click the myex.reg when asked to merge say yes.

 

Reboot. Using File Manager, find and delete these files if there:

 

HPCMDTY.DLL

c_10230.dll

crt32_v2.dll

crt2_v32.dll

C:\spad <-- whole folder

 

Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

 

Reboot when done, rescan with HJT and post a new log here for a final check over.

myex.reg

Share this post


Link to post
Share on other sites

Daemon, my new log is set forth below. A couple of problems occurred with your proposed fix and I am not sure if they are material. First, when I downloaded the myex.reg file, I did not receive any prompt asking me to merge. Instead, I received a window saying that it had been successfully entered onto my registry. Second, once I rebooted, I looked for "File Manager", but I am not sure I have it. I searched using the "explore" key that appears when you right click on the "start" button, and opened WINN/SYS32. In there, I found and deleted HPCMDTY.DLL and crt32_v2.dll. I could not find c_10230.dll or crt2_32.dll. I then went into one of my program folders and found c:\spad and deleted the entire file folder. I then went into spybot tools and changed all of my internet settings before I ran hijack this. Once I did so and then ran the hijack this log below, it appeared as though all of the items you wanted me to fix using hijack this had been corrected by my changing the internet settings in spybot. Consequently, I did not delete anything in hijack this, but simply ran the log file below. I am cautiously optimistic, as my browser now seems to work again. That being said, this C:spad thing has me spooked. I have no idea where it could have come from. I think it must have been a remnant from our prior fix. Is this a file that wouldn't show up any of the scans (like PandaScan or Housecall)? Anyway, thanks again for your help!

 

Logfile of HijackThis v1.97.7

Scan saved at 7:53:01 AM, on 5/28/04

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\spoolss.exe

C:\NSM\client32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\pmsvc.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\system32\RpcSs.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\NMSSvc.exe

c:\winnt\system32\pstores.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\nddeagnt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\SysTray.Exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\NWTRAY.EXE

C:\Program Files\Navnt\vptray.exe

C:\WINNT\System32\loadwc.exe

C:\Program Files\RightFax\faxctrl.exe

C:\WINNT\system32\ntvdm.exe

C:\WINNT\SYSTEM32\NALWIN32.EXE

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = phx-as-ntproxy1:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inside.quarles.com;192.168.2.3

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inside.quarles.com/

F1 - win.ini: load=launch.cmd

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe

O4 - HKLM\..\Run: [browserWebCheck] loadwc.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe

O4 - HKLM\..\Run: [WSInst] C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2

O4 - HKLM\..\Run: [schedulingAgent] mstinit.exe /logon

O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Daemon, everything is running good again. Thanks for your help! I'm just curious - - do you think that c:/spad was a remnant from the problems of a month or so ago or do you think I picked it up somewhere a few days ago. I have only accessed what I think are safe sites since we completed the fix a few weeks ago, so if it something I just picked up, I am concerned about what else I can do to avoid the problem again. If it was a remnant, hopefully it was the last one!

Share this post


Link to post
Share on other sites

Daemon, I downloaded and installed two of the spyguard programs that you sent to me. However, there is still something lurking in my computer. This morning, I connected to the Drudge Report (a fairly popular US political website), and from there connected to a link for an astronomy story on a new planet sighting. When I did so, I got a porn pop up that was the same as the homepage that I was getting when the c:\spad had hijacked my browser. Fortunately, my browser settings seem to be intact and no hijack occurred. It strikes me that I may have been surfing the Drudge Report a week or so ago when I got the c:\spad in the first place. However, I can't believe there is a problem with the website, as I know that thousands of people access it everyday and I have never had any past problems. Any ideas on why I still have this problem?

Share this post


Link to post
Share on other sites

Daemon, hope all is well and I hope you are still monitoring this post. I am still having one problem. I think it is a remnant of my past troubles. Sometime when I switch websites, I am redirected to a porn site. I have only accessed safe websites, but I have this problem about once every day or two. It seems to occur on a random basis, and it does not seem to apply to any particular websites. I just noticed this morning that what appeared to be an American Express popup ad seemed to change in mid stream and became a porn pop up followed by a new porn page. Fortunately, none of this is affecting my computer settings any more. (At least I don't think that it is.) The porn site I was transferred to was http://www.your-daily-pics.com. The site properties also had a reference to myexexex.com after the main site reference. (Recall that we had lots of myexexex components from the c:\spad bug.) I have added these to the restricted sites on my settings. I also added zedo.com as a restricted site. I think this is the site for the Amex popup, but it is the only other item shown in my history that could be the other popup, so I blocked it. A new hijack this log is attached below. Any idea on why this still occurs?

 

Logfile of HijackThis v1.97.7

Scan saved at 8:02:40 AM, on 6/8/04

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\spoolss.exe

C:\NSM\client32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\pmsvc.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\system32\RpcSs.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\NMSSvc.exe

c:\winnt\system32\pstores.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\nddeagnt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\SysTray.Exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\System32\NWTRAY.EXE

C:\Program Files\Navnt\vptray.exe

C:\WINNT\System32\loadwc.exe

C:\Program Files\RightFax\faxctrl.exe

C:\WINNT\KDX\KHOST.EXE

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\WINNT\System32\ddhelp.exe

C:\WINNT\system32\ntvdm.exe

C:\WINNT\SYSTEM32\NALWIN32.EXE

C:\TEMP\pomi.dat

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.quarles.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://inside.quarles.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://inside.quarles.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = phx-as-ntproxy1:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inside.quarles.com;192.168.2.3

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inside.quarles.com/

F1 - win.ini: load=launch.cmd

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe

O4 - HKLM\..\Run: [browserWebCheck] loadwc.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe

O4 - HKLM\..\Run: [WSInst] C:\Program Files\Workshare\DeltaView\Install\WSInst.exe /stage2

O4 - HKLM\..\Run: [schedulingAgent] mstinit.exe /logon

O4 - HKLM\..\Run: [kdx] C:\WINNT\KDX\KHOST.EXE

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Share this post


Link to post
Share on other sites

Yes, have HJT fix these entries then you should be OK:

 

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

 

Reboot when done. Let me know.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0